As it stands the only way to purge exploiters from a community with any real consistency is to ban them manually once you’ve caught them and to leave the game as paid access only. You can set up automated systems for that but they typically need to constantly evolve to catch new exploiters, and 9/10 times the person just makes a new account. The process of IP banning would need to be handled securely on ROBLOX’s end entirely, so that people don’t use the feature as a means to leak others personal information.
As it stands for games like fighting games where there’s a lot of player on player hitboxes being able to handle hit detection clientside is a massive advantage, since it removes a chunk of input lag that would’ve been there if it were done serverside. However, sanity checks only get you so far.
Whenever someone does find ways through the cracks of a games security, insuring it’ll be as inconvenient as possible for them to get back in makes a world of difference in how often the exploit will be repeated.