Can clients access/exploit scripts that are in the workspace?

TBH, It probably isn’t replicated at all, so you don’t need to do anything to hide it (as long as you use a server script, instead of a local script or module script)