Of course $_POST, $GET and $_REQUEST (and $_COOKIE) can be exptected to contain about anything that you do not expect. As developer you know how easy it is to manipulate a query string or to post data to some Web application so treat this data with proper caution, always.
$_SERVER suggest only server data but that's not true. It contains lots of client data that could have been compromised. Just do a var_dump($_SERVER) to see for yourself. This is also true for the less well known $_ENV superglobal which can contain the values of CGI variables for instance.
$_SESSION is the only superglobal that you can trust because that one only contains data that you put in there yourself.