I have been wondering lately on how can exploiters steal game assets with scripts? Do they use API where they can convert any models to an rbxl file? If so, what API do they use?
I don’t know much about exploiting, (since I’m a software dev) but i’ll try to give my theory here:
So I’m assuming most of these exploiters would use some sort of application, software that is able to look through the hierarchy of the game, on the client side (meaning things in serverscriptservice and serverstorage are safe and not shown),
then they just choose an object, they can delete it, or ctrl + c.
they can run localscripts too so protect your remote events that send a message to the server!
but all of their power resides locally, if you store your models on the server, they are safe.
Too bad that models in workspace are also accessible on the client 