The problem is the client can modify and post the ciphertext all it likes until, eventually, the server does something undesirable, since the server is merely decrypting and acting on the data without verifying it hasn't been tampered with.