First, lets start of by establishing how Marketo is able to prefill a form with lead information.
Whenever a lead encounters one of your pages that has munchkin in the source code the cookie in the lead's browser will be read. If a cookie does not exist, then one will be created and associated with an anonymous record in your database, which will allow the lead to be tracked until they identify themselves. The cookie makes it possible for the munchkin code to append new tracking activities to the lead's record in your database, and allows any form you have on your page to access the information in the lead record associated with the cookie.
A lead's browser can also be cookied when they interact with emails sent from Marketo. Each link in emails you send from Marketo gets "wrapped" with tracking information specific to the lead it is sent to. These links, when clicked, carry the tracking information to their browsers, and the munchkin is able to tell which record the email was sent to.
A form cannot prefill with any information unless there is a Marketo cookie present in the browser. The trouble is that it's possible for someone to get cookied as or associated with a different lead record. When this happens, all of their activities will be appended to the new record from then on, until their cookies are deleted.
A lead can be cookied/mis-cookied in a few ways.
1. Lead/User fills out a form. If they're using their own email address then there's no problem, but if for some reason they'reusing the email address from a different lead record, then they'd be cookied/associated with that record.
2. Lead/User clicks a tracked link in an email. As described above, if the email was meant for the lead clicking the link, then there isn't a problem.
3. Lead/User clicks a tracked link copy/pasted from an email. As I said, links are "wrapped" for the original recipient. If the link get's copy/pasted anywhere else, the tracking remains the same. Each new person clicking the link gets cookied as the original recipient and will then see that person's information in a pre-filled form. This is especially common among Coworkers who use Marketo and are testing pages and emails often.
4. Lead/User clicks a tracked link copied/shared from a forwarded email. Similar to number 3, but instead of the link getting copied somewhere else, the whole email gets forwarded to other people.
5. Lead/User was sent a sales email as part of a mass send from the Outlook or Gmail plugins, which are only designed for 1-to-1 sends. Sending to multiple email addresses will cause the links to all track to the first person in the To: field, and everyone else gets cookied as that person.
Because of the way Marketo works it's absolutely not possible for someone to see another lead's information unless they have filled out a form using the email address associated with that record, clicked a tracked link meant for another lead, or been part of a batch send from the Outlook or Gmail plugins. The second is most common, but all of them will cookie the person's browser just as easily.
To prevent this, it's a good idea to use a separate browser for testing, or to clear the cache and cookies of your browser when testing pages/forms/emails. You can also use Icognito mode if your browser allows it.
At this time it's not possible to dissociate a cookie/browser with a lead record. Once that connection is made, the only option is to remove the cookie from the browser.