Say, an endpoint tries to be helpful and responds with “no such user: foo” instead of “no such user”. Or, as a sibling comment suggests, any create-with-properties or set-property endpoint paired with a get-propety one also means game over.
Relatedly, a common exploitation target for black-hat SEO and even XSS is search pages that echo back the user’s search request.