The index of the deposit block header hash in header_deps MUST be put in the type-script-part of the corresponding witness at index i, using 64-bit unsigned little-endian integer format. The example below explains data placement in transaction witnesses.

From RFC of NervosDAO, the deposit block header index is placed into witness_args.input_type. See implementation:
https://github.com/nervosnetwork/ckb-system-scripts/blob/a7b7c75662ed950c9bd024e15f83ce702a54996e/c/dao.c#L63C12-L63C40

In the same cell, if lock scripts like secp256k1/blake2b is used, this field(input_type) is covered by sighash_all and can't be modified. However, in iCKB, the index value is malleable. For example, suppose Alice sends a transaction with input_type set to i. An attacker could intercept and change this i to j, while still keeping the transaction valid.