I agree with your client and with other answers here, that it is a security concern.
It's not always safe to assume that browser history is private to the user. You don't say who your client is, but if you're in the realm of PII, my mind automatically goes to a healthcare setting. I would be concerned about a HIPAA violation.
A patient may trust logging into their patient portal using a kiosk at a doctor's office, for example. However, another user (even someone on the back end in IT) even seeing the patient name and knowing they are a patient puts the org at risk.
I'm also not sure if you have the best understanding of PII given the question. For example, I'd usually not consider order number PII, of course it depends.
After working in healthcare for the past few years, I've learned that what is considered PII and PHI is often contextual. This is a great definition from the GSA:
"The term “PII,” as defined in OMB Memorandum M-07-1616 refers to
information that can be used to distinguish or trace an individual’s
identity, either alone or when combined with other personal or
identifying information that is linked or linkable to a specific
individual. The definition of PII is not anchored to any single
category of information or technology. Rather, it requires a
case-by-case assessment of the specific risk that an individual can be
identified. In performing this assessment, it is important for an
agency to recognize that non-PII can become PII whenever additional
information is made publicly available - in any medium and from any
source - that, when combined with other available information, could
be used to identify an individual."
Order numbers would not usually be considered PII, in my experience. I worked at a wellness company that had a retail component, and order number was not considered PII in our systems, because of the way our databases were structured. However, I can think of a use case for order number being PII. Let's say you have a tracker tool that allows you to put in the order number, and see the location of the package and the full delivery address. Then you're in a situation where order number is revealing sensitive information.
Another definition that I like of PII is this one from the DOL, which says that
"information permitting the physical or online contacting of a
specific individual is the same as personally identifiable
information."