Security of the ReceiptUtility.extractTransactionId(appReceipt:) function for App Store Receipt

[shimastripe]

I have confirmed that it is recommended to use the ReceiptUtility.extractTransactionId(appReceipt:) function of this library to extract the transaction_id from the App Store Receipt on my backend server, and then use the extracted transaction_id to retrieve data via the App Store Server API, as part of a backward-compatible migration process.

My understanding is that the App Store Server Library extracts the transaction_id from the receipt without performing tamper verification. This is noted in the comments.

https://github.com/apple/app-store-server-library-swift/blob/b631d3727875dbd2f3d1d3733c514360bf01de36/Sources/AppStoreServerLibrary/ReceiptUtility.swift#L13

Is this approach based on the assumption that valid transaction_ids have not been leaked externally? I am concerned about the possibility that a user who knows a valid transaction_id might be able to tamper with the contents of the receipt.

Thanks.