1. The Query string information is in the GET request which means that any log file at the AG, Oracle box or intervening component will also log the user's credentials in clear text.
2. The target app may redirect the user's request whilst preserving the query string info. As a result, the injected credentials may suddenly become viewable at the user's browser which would be a major concern. A Referrer header may also include the query string credentials which is another place that the credentials may be leaked from.
So usign SSL does not necessarily protect leakage of credentials.
Will the app accept the credentials if you use custom header parameters called "username" and "password" or whatever instead of the query string? Not that I would particularly recommend it but at least the most dangerous potential information leakage mentioned above would be avoided.
Also, with this approach, there may be a problem if the target application password is changed, expired, or locked and passwords etc. aren't synched to the NAM user store. At least with FormFill you have the flexibility to script different behavior.