Oops, I should have been more specific

In addition, RemoteEvents and RemoteFunctions are safe if you implement the correct security measures on the server.

It isn’t safe even if you implement it. Exploiters can still bypass it.

Exploiters can access RemoteFunctions/Events because they are usually stored in ReplicatedStorage. They can send any data they want to the server, which is why you still need to implement security measures.

Well, based from experience, it really depends.

For instance

The exploiter can send a data like WalkSpeed = 100
but the speed is supposed to be within 16-20

Even implementing security measures isn’t gonna save you from all exploits.

Hackers cannot access the source code of any scripts. They can, however, access the precompiled bytecode of LocalScripts and ModuleScripts that exist on their machine and decompile it from there. There is no perfect way to prevent them from taking and editing data that is already downloaded to their machine (the bytecode of client-side scripts, descendants of Workspace, ReplicatedStorage, etc.).

Just use anti-exploit, do sanity checks. And that should be fine.

Although, not all exploits will not access, some are powerful enough to bypass stuff.

How do you achieve those without remotes? Unless ROBLOX added some new features that I’m unaware of…

As I said again, remotes isn’t gonna save you from all exploits.

This is incorrect. Only the bytecode of client-side scripts are sent to the client, not the source code. The ‘power’ of the hack is irrelevant.

It depends what your use case will be really. As @Pyrotenics stated, he is correct when he says

There will always be one way or another to bypass security both on the server and the client. One thing you can do is to lessen the data the client sends to the server.

Just how exactly do you mean that anti-exploit scripts are better than RemoteFunctions/Events? This seems a bit misleading.

I’m not saying it is better, anti-exploits are important in one way or another.

What do you define as an anti-exploit out of curiosity? You make it sound very general.

Here are my tips.

My tip:

1. Prioritize server-sided checks. Feel free to add client-sided ones afterwards, though don’t fully rely on them, but rather have them as a little “extra” thing. But only if you know what you’re doing!!! If you don’t know how to set up client-sided checks properly, then you should rather refrain from implementing them.

To summarize all the currently posted replies.

Exploiters can access local scripts, but they do not access them directly, but through byte code

Security checks can be bypassed, but depending on your implementation, this may not happen in some cases. Security checks must on the server for mostly authentication purposes and the client for adding a layer of difficulty to those who do not have the right tools.

Thank you all for sharing your knowledge.

I quoted your replies, that does not claim them as mine. It’s for the sake of learning, not to show off who has more experience.

This is incorrect. Even if bypassable, client-side security measures present a difficulty to most cheaters, who do not have the skills or tools to bypass them. Until a dedicated cheat is developed specifically for your game, cheaters will be heavily restricted by these measures.