Agreed. I also found it pretty odd. This is how I did instead:

  defp save_demographic(socket, params) do
    params
    |> assign_current_user_param(socket)
    |> Survey.create_demographic()
    |> case do
      {:ok, demographic} ->
        send(self(), {:created_demographic, demographic})
        socket

      {:error, %Ecto.Changeset{} = changeset} ->
        assign(socket, :changeset, changeset)
    end
  end

  defp assign_current_user_param(params, socket) do
    Map.put(params, "user_id", socket.assigns.current_user.id)
  end

Also got rid of the assignment and field entirely!

Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.

I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:

For page 196, I removed the hidden input fields:

<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>

And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):

defp save_rating(
       %{assigns: %{product_index: product_index, product: product}} = socket,
       rating_params
     ) do
  rating_params
  |> add_user_id_param(socket)
  |> add_product_id_param(socket)
  |> Survey.create_rating()
  |> case do
    {:ok, %Rating{} = rating} ->
      product = %{product | ratings: [rating]}
      send(self(), {:created_rating, product, product_index})
      socket
  
    {:error, %Ecto.Changeset{} = changeset} ->
      assign(socket, changeset: changeset)
  end
end
  
defp add_user_id_param(rating_params, socket) do
  Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
  
defp add_product_id_param(rating_params, socket) do
  Map.put(rating_params, "product_id", socket.assigns.product.id)
end