Exploiters can access anything on the client no matter what. You should always (always) assume that anything a user does is malicous until proven otherwise.
Rule 1 of network security: Never trust the client
Rule 2 of network security: NEVER trust the client
Or don’t use _G in the first place. Use of _G is bad practice. It’s exactly why you don’t use global variables - name collisions. Consider bindables/module scripts.
EDIT: The OP doesn’t specify that their function is on the client or the server. If it’s on the server you’re fine @Paintertable (but you should use a module script instead of _G) If it’s on the client then an exploiter can access it.
Do note that if you have something like a MakeExplosion remote event, exploiters could abuse that.
There is a _G for the client, and a _G for the server. The server can read server _G code written in server scripts, and the client can read _G code written in client scripts Basically, an exploiter would not be able to access your function unless you put the function on the client. If it is on the server, then there is no way they’ll be able to access it.
Even if an exploiter could access your function, why would that matter? They can create explosions manually without the use of your function in _G. That being said; _G is different per machine and per client, so you’re fine. Why use _G when you can use ModuleScripts though? Fits code structure better.