I have a form behind a magic link and would like to update some fields, but it seems to accept any input so this could introduce unexpected data if someone were to send rogue requests.
Yes, the local api hits validation. You can see here all of the operations. These run for rest/graphql/local, you can open one of the operations and look for the beforeValidate hook, after that hook fields get validated.
Get help straight from the Payload team with an Enterprise License.