Notice that it's not checking the data with JavaScript. I was under the impression that there is already a security measure against this as far as JavaScript is concerned. The browser is already instructed to lie to JavaScript about certain details such as the :visited state of a link and any CSS rules that follow as a result of this.
Even if you can't read the values with JavaScript, you can submit the form with JavaScript.
So then you'd need to prompt the users to confirm that they want to auto fill, not just notify that auto fill happened. Otherwise it may already be too late.
Even if you couldn't read any hidden value with JS and had no way of telling if they changed (didn't try it myself) you could submit the form every 5-10 seconds or so in the background and reject it server side if a hidden field is missing.
