Not only GETs. Any method.
What you are trying to convey I think is that browsers will send GET requests by default when you visit a URL.
But you can also send a POST and retrieve data. Actually with any type of request(GET, POST, PUT, PATCH, DELETE). It all depends on the server implementation. So secure everything that can be secured.