Presigned URL security issue

When generating presigned url, i set object metadata within PutObject command

const command = new PutObjectCommand(
  {
      Bucket: 'user-assets',
      Key: `catalog-images/${uuidV4()}.${extension}`,
      ContentType: dto.contentType,
      Metadata: {
        'user-id': userId
      }
   }
)

return getSignedUrl(this.s3, command, { expiresIn: 3600 }) 

returned URL is

https://<bucket>.<account_id>.r2.cloudflarestorage.com/catalog-images/e5ebc599-e71f-4305-8b5a-07869d9c4535.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=45a98b97e98a7f6d312ce71fdbc0595c%2F20230717%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20230717T032928Z&X-Amz-Expires=3600&X-Amz-Signature=28931854f77b43df48eec6566d95fe041ac91529dd66760db501bf3ac0c4e688&X-Amz-SignedHeaders=content-type%3Bhost&x-amz-meta-user-id=ci72mmgm60f0gsn8fc30&x-id=PutObject

On client side when uploading object through that generated URL, client request is not rejected when modifying x-amz-meta-user-id so client can set defined metadata value as they want

> PUT /catalog-images/e5ebc599-e71f-4305-8b5a-07869d9c4535.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=45a98b97e98a7f6d312ce71fdbc0595c%2F20230717%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20230717T032928Z&X-Amz-Expires=3600&X-Amz-Signature=28931854f77b43df48eec6566d95fe041ac91529dd66760db501bf3ac0c4e688&X-Amz-SignedHeaders=content-type%3Bhost&x-amz-meta-user-id=ci72mmgm60f0gsn8fc30&x-id=PutObject HTTP/1.1
> Host: <bucket>.<account_id>.r2.cloudflarestorage.com
> x-amz-meta-user-id: <whatever-is-set>
> content-type: image/png
> Accept: */*
> Content-Length: 34600

I’m expecting when user modifying URL parameters / header it’s should be rejected / signature mismatch