JavaScript

How is this js acquiring protected?

Hello. I came across an advertisement for Internet acquiring. https://oplata.tinkoff.ru/documentation/?section=widget I went to the documentation, they have a connection method "Connection via payment widget". Look at the 5th point in the documentation:

5. Insert the call to the payment form in the place of the code where the "Pay" button will be placed. In the widget call, pass the amount, order number (optional) and order description (optional)

Since you can easily change the value of input name="paySum" to your own, and pay for your order in the amount of 100k for 1 ruble, the question immediately arises: where is the actual security?
Here I have the order amount hanging in the session > I pass this amount to the paySum input > The person takes and changes the value of the input to his own > Pays for the order > Everything? Finita la comedy? There is an order and it is paid