The mechanism would be that you've transported it over a secure transport in the first place, e.g. HTTPS or encrypted email. No different than a Bitcoin address or plain payment URI.
So if a merchant doesn't have an SSL certificate and thus doesn't support HTTPS and the request is sent over http, then someone could perform an MITM attack (just like with everything else using http) and could tamper with the request and the user wouldn't even know it. I personally feel that this is unsafe, especially when both the consumer and merchant have access to private keys which can sign that payment request so that, at a bare minimum, its integrity is verified.
edit: how come we are always told to verify the signatures and checksums of the software we download even if it was delivered through a secure mechanism like https? Shouldn't the same apply to the payment requests?
