Historically, `<h:form prependId="false">` was introduced in JSF 1.2 as sort of patch in order to be able to submit to the predefined URI `j_security_check` using a JSF form because that URI expects the exact input field names `username` and `password` without any (generated) prefix.
Since the introduction of programmatic login API `HttpServletRequest#login()` in Servlet 3.0, released at the same time as JSF 2.0, the `prependId=false` has become unnecessary as people can just invoke `HttpServletRequest#login()` in a backing bean action instead of explicitly submitting to the predefined URI `j_security_check`. Moreover, using `prependId=false` breaks the in JSF 2.0 introduced `f:ajax` and composite components as well as the in JSF 2.3 introduced `f:websocket` because it causes the `findComponent()` to not anymore work within naming containers, see also among others https://github.com/jakartaee/faces/issues/573
These days, people don't anymore use `<h:form prependId="false">` specifically to be able to submit to `j_security_check`, but they essentially abuse `prependId=false` generally to be able to use ids in CSS selectors without the need to escape them. But these people actually need to be re-educated about CSS best practices so that they don't anymore need ids in CSS selectors for non-unique elements/components, see also among others https://stackoverflow.com/a/5882502
All in all, using `<h:form prependId="false">` in JSF 2.x or newer is a red flag and is always discommended. We should deprecate the attribute and eventually remove it so people won't anymore fall into the trap. Do note that this attribute is absent in all naming container components other than `UIForm` and the community never reasonably requested for standardizing it in `NamingContainer`.