Theory (based on not much).
Could it be sanitised submissions. So there is content in the forms, then script tags and containing script is being stripped but still stored in the Umbraco Forms entries table?
It’s about the only thing I can think of that can explain how it’s bypassing the required flags and passing the validation front end back end!?