If you go back into the custom form after changing the "show in request" flag from no to yes, the custom form should look at the current blueprint settings and attempt to validate the fields. It'll then tell you that it's required and won't let you save it until you change that field to required = yes. This is probably why it's allowed to fail in the request if you didn't perform this step.
I received a pretty comprehensive response from engineering today after a PR was opened on this issue. The response indicates that this is intended behavior and was a result of security concerns. Full text below:
1. This behavior is not a bug, this behavior is by design.
2. The change to remove hidden properties in a request submitted by a basic user was made in an earlier version in response to customer complaints that there was a security hole risk in vRA that allowed users making requests via vRO or REST to add request properties that were disallowed through the UI. In the UI, a basic user does not have access to any properties not marked show-in-request in the blueprint (i.e., the properties tab is hidden from them). Customers viewed this as a must-fix security hole. This is what drove the change.
3. Moving forward, requests submitted with a hidden property by a basic users, will not be passed in the payload. Only requests submitted by members of the Group Manager and the Support User role can pass the value of a hidden property in the request payload.
4. In summary, if you wish to use hidden properties in your blueprints, you will need to add those users to either the Support User role or the Group Manger role. You may also select the "Show in Request" box so that the value of the hidden property is passed in the payload.
I also received another response from the dev team.
From Composite Blueprint standpoint Custom Properties which are NOT 'Show in request', cannot be edited or even seen by 'Basic User'.
The difference with Custom Forms is that in the Designer whether 'Show in request' is checked or not, we're able to drag the property and display it in the form giving the impression that it can be edited by everyone. The issue is when Basic User is filling in the value and it gets filtered from request data by the Blueprint Service in the backend when executing the Custom Properties validation.
There is no workaround for this except enabling the 'Show in request' flag of the properties in the Composite Blueprint. Custom Properties are treated specifically and this is by design. Except describing this in documentation/KB there is not much we can do.
This makes sense to me.