It is not a correct use case per me, Is there a way to deal with this? or can we pass a unique identifier in unsubscribe link so that it can't be reused for another ID. Thanks!
As you acknowledge, you're coming up with an idea of "correct" behavior that doesn't come from how Marketo works (and has always worked).
The link is just a link to an LP (which happens to be your UnsubscribePage.html, but it's otherwise the same as any LP once they get there).
If the LP has a form on it, and the form exposes the email as an editable textbox, then yes, anyone can easily see that they can enter another address. If you want to reduce the temptation to enter another address if the person is relatively innocent/unskilled, then remove the form field and just have the button. However, this won't stop them from deliberately and maliciously submitting the form on behalf of another person.
If you want to move beyond the default level of security, you need to institute either
(a) a confirmation link sent to form submitter, and only after they click another button (note: not just click the email link, that will not work)
or
(b) a self-service "confirmation code," most likely the Marketo Unique Code that everybody already has, and they need to enter that code alongside the email address in order for the value to be changed
.png)