It's a security risk if it isn't backed up with equivalent or stronger validation on the server side.
It can be very powerful as an ease-of-use feature to make the UX smoother, preventing tedious or jarring round-trips and page reloads, but you're quite right that you can't rely on it as a security feature.