The ad_form key/item_id is signed so it should be reasonably safe. This is how every non-Xo* form in OpenACS already works.
I understand by reading the code what is happening, and I can extend the Wikiform to do what I need.