I was looking in the comments of a youtube video on a stamina system, a group of people were discussing whether or not to use a client sided stamina system, and I noticed this interesting comment:
I was wondering, is this true? Because I was considering changing my stamina script to be entirely local and handle all of the values in the script itself(rather than sending remote events and using attributes/numberValues).
I am sure scripts can be edited by the client in their entirety too, hence exploiters sharing local script source code, but do not quote me by that cause I may be speculating.
Exploiters can change and access everything the user client can, which means they can also call the server and send him information. This is why many people like to answer with “Never trust the client”. Because the information the server receives may be wrong, so always check it on the server side.