Strictly speaking, you are correct. But in this case dealing with user input such as headers and their modifications is the responsibility of the server just like dealing with potentially malformed HTTP replies is the responsibility of the browser. What we are talking here though is the possibility of interaction with the remaining elements of the system (application, database). If these are read-only, the attacker loses these attack vectors.
I can change the values of the presets I can add headers, remove headers change the value of cookies, add cookies, remove cookies etc etc.