If exploiters can’t read local scripts, we will be able to encode things on RemoteEvents and RemoteFunctions for security.
I’ve seen some games that their maps are stolen. but I haven’t seen any stolen local script.
So are exploiters able to read local scripts?

In short, yes. Exploiters can read and save your local scripts.

Exploiters can access local scripts and can bypass any type of security on the client.

Using RemoteEvents and RemoteFunctions on the server are the safest you can get.

Stealing maps are completely different from stealing scripts. Exploiters can steal local scripts, but it is not common to repost them. Maps on the other hand are portrayed as much more valuable assets.

So, encoding is not a good way to make remotes secure.
Exploiters will use the function I’ll make for encoding.

Rip.

Oops, I should have been more specific

In addition, RemoteEvents and RemoteFunctions are safe if you implement the correct security measures on the server.

It isn’t safe even if you implement it. Exploiters can still bypass it.

Exploiters can access RemoteFunctions/Events because they are usually stored in ReplicatedStorage. They can send any data they want to the server, which is why you still need to implement security measures.

Well, based from experience, it really depends.

For instance

The exploiter can send a data like WalkSpeed = 100
but the speed is supposed to be within 16-20

Even implementing security measures isn’t gonna save you from all exploits.

Hackers cannot access the source code of any scripts. They can, however, access the precompiled bytecode of LocalScripts and ModuleScripts that exist on their machine and decompile it from there. There is no perfect way to prevent them from taking and editing data that is already downloaded to their machine (the bytecode of client-side scripts, descendants of Workspace, ReplicatedStorage, etc.).

Just use anti-exploit, do sanity checks. And that should be fine.

Although, not all exploits will not access, some are powerful enough to bypass stuff.

How do you achieve those without remotes? Unless ROBLOX added some new features that I’m unaware of…

As I said again, remotes isn’t gonna save you from all exploits.

This is incorrect. Only the bytecode of client-side scripts are sent to the client, not the source code. The ‘power’ of the hack is irrelevant.

It depends what your use case will be really. As @Pyrotenics stated, he is correct when he says

There will always be one way or another to bypass security both on the server and the client. One thing you can do is to lessen the data the client sends to the server.

Just how exactly do you mean that anti-exploit scripts are better than RemoteFunctions/Events? This seems a bit misleading.

I’m not saying it is better, anti-exploits are important in one way or another.

What do you define as an anti-exploit out of curiosity? You make it sound very general.

Here are my tips.

My tip:

1. Prioritize server-sided checks. Feel free to add client-sided ones afterwards, though don’t fully rely on them, but rather have them as a little “extra” thing. But only if you know what you’re doing!!! If you don’t know how to set up client-sided checks properly, then you should rather refrain from implementing them.