botogram implemented a safe way to handle callback queries as you can read in the documentation (https://botogram.pietroalbini.org/docs/dev/buttons/#buttons-security)

the problem is that the callback_data is not sent by telegram, but the clients. So if a bot is admin of a group and it lets ban spamming users with buttons and the callback_data containts parameters (for example ban_user:123456789) a maliciuos client could change the parameter (for example ban_user:987654321) despite the text of the callback could be the same