In theory, it is dangerous because you can change the request, and accordingly perform what this request is responsible for (well, for example, transferring money).
It is up to you to use keccak or sha-256, depending on the application. You can use keccak, you can do additional operations to modify the hash to obfuscate it, for example, take the same sha-hash, add 6 to all numbers and convert to hex (it was 8, 8+6 = 14, in hex it is E ), and then swap even characters with odd ones (it was a1b2c3, it became 1a2b3c), and then add crc and add the first two characters from md5 (received hash) to the end. I doubt very much that with even such elementary manipulations, an attacker with an obfuscated hash will be able to get the original version, figure out that it is sha-256, and then also carry out an attack by lengthening the message .. But, tasks and applications are different, so I fully give myself report that this is not applicable everywhere ...

Vulnerable is not SHA-256 itself, but its incorrect use as HMAC. The correct HMAC looks like https://ru.wikipedia.org/wiki/HMAC .