We tried using Marketo Lead ID as the only GET parameter, as it's a unique identifier associated with lead's personal data. But that's even less safe: replace one character in the ID and if you're lucky, you get another lead's data in your form.
The only way passing an ID populates a form is if you're using the API to query the lead database. This is already a bad design because you're vulnerable to an easy DoS, so I wouldn't put PII leakage as the main problem there!
Also wouldn't worry foremost about the issue of guessing other IDs. The question is whether this ID can be used to lookup this lead's PII (and it can, since your form is basically a UI to do that lookup).
And even if you encrypted the query params, you're still providing a form that decrypts them automatically. As the saying goes, data that is decrypted without user intervention is not secure (usually said with regard to saved "encrypted" passwords, but same idea).
Bottom line: don't use GET to pass this information.