I'm sorry to hear this, Todor.
There's basically no difference between a GET and POST http request, except for the technical limitations of a GET. Using GET only to fetch and POST only to modify is just a convention, nothing more. Any GET request can easily be converted into a similar POST request. It only requires the backend to accept them.
I do appreciate your desire to enable the user to change whatever parameters they want in the URL, except that this is not always preferable. Parameters can also be used inside the report to store "global" values in the report, but not as long as you're exposing them.
Our issue is that our frontend handles multiple (10+) user profiles, each of which has its own sensitive information in their reports. But because the users can easily "hack" the url of the shown report (parameters _and_ report name), we're forced to create multiple almost identical reports, typically one for each user.
And in some cases we've even been forced to rename the report names themselves to a random GUID to disable hacking.
I would therefore again urge you to add the possibility to fetch reports using POST, so hiding parameters from a user would be possible. If some of the parameters should be exposed to the user, it may be done in the report itself.
Alternatively, properties on a parameter, that control whether it should be exposed automatically or not, would be beneficial.