More precisely, users will do things to your application that you never expected or intended. But for the most part these users are not evil. There are, though, a small subset of users who are actively attempting to corrupt your Web application and they will more likely than not find a way to do so. A blog over at SANS points this out: Client Side Input Validation is Evil. Again the title overstates the problem, but if your application relies ONLY on JavaScript validation (AJAX or otherwise) your application is seriously weak.
This is not to say that client side validation does not have its place. Most ordinary Web users appreciate being warned of errors before being sent on a round trip to the server and back. But please, please do not make the assumption that what comes in through HTTP has first passed through your JavaScript library. Once we understand that a miscreant will bypass your Web form entirely, it becomes clear that any validations that you perform on the client side must also be reproduced on the server. It’s a given and something that I wished more frameworks/libraries would simplify.