Historically, <h:form prependId="false"> was introduced in JSF 1.2 as sort of patch in order to be able to submit to the predefined URI j_security_check using a JSF form because that URI expects the exact input field names j_username and j_password without any (generated) prefix.

Since the introduction of programmatic login API HttpServletRequest#login() in Servlet 3.0, released at the same time as JSF 2.0, the prependId=false has become unnecessary as people can just invoke HttpServletRequest#login() in a backing bean action instead of explicitly submitting to the predefined URI j_security_check with predefined input field names j_username and j_password. Moreover, using prependId=false breaks the in JSF 2.0 introduced f:ajax and composite components as well as the in JSF 2.3 introduced f:websocket because it causes the findComponent() to not anymore work within naming containers, see also among others #573.

These days, people don't anymore use <h:form prependId="false"> specifically to be able to submit to j_security_check, but they essentially abuse prependId=false generally to be able to use ids in CSS selectors without the need to escape them. But these people actually need to be re-educated about CSS best practices so that they don't anymore need ids in CSS selectors for non-unique elements/components, see also among others https://stackoverflow.com/a/5882502.

All in all, using <h:form prependId="false"> in JSF 2.x or newer is a red flag and is always discommended. We should deprecate the attribute and eventually remove it so people won't anymore fall into the trap. Do note that this attribute is absent in all naming container components other than UIForm and the community never reasonably requested for standardizing it in NamingContainer.