Yup, ASP's "__VIEWSTATE" hidden form parameter comes to mind. It was base64-encoded and POSTed because it could get loooong (hundreds of KB).
Terrible for browser navigation/refresh though, because pretty much everything was a form POST. Thus no URL state sharing, either.
Also a terrible idea to execute code from the client, even if it's supposedly signed.
https://darkatlas.io/blog/critical-sharepoint-vulnerability-...
Exactly, this approach doesn't scale well without trickery involved. You have to have some sort of weird encoding in place to compact it down.