Not exactly, the field name is not used by ACF, the field key is. Yes, I suppose that someone would be able to add something like:
<input type="hidden" name="acf['field_1234567890']" value="test">
I guess what you have to ask yourself is, who’s going to be using your theme and will there be people using it that want to hack values that are part of the site.
I have not tested the ability to do this… and I’m not the developer. You may have a valid concern and you might what to consider submitting a support ticket https://support.advancedcustomfields.com/new-ticket/ and bring your concern up.
I actually have a plugin https://github.com/Hube2/acf-user-role-field-setting/ and I’m going to look at adding a security check to this plugin to add a check for submitted values to see if the user is allowed to modify a field.
update: I have added this security feature to the user role field setting plugin.
