Can exploiters access Scripts that are in Workspace? Or is it only ServerScriptService that is safe?

For example if I have tools/weapons that have scripts in them, are they able to be accessed?

Exploiters can steal items in Workspace, ServerScriptService, and ServerStorage is really the safest places. Though, in reality; you should never have scripts in Workspace.

The only scripts that exploiters can steal are Localscripts, as their code is accessible to clients. Regular scripts’ code is unobtainable by exploiters, even if they’re in public areas such as workspace

So to answer your question, If they’re regular scripts, I think you should be safe since the code would be gibberish for them

No.

The code inside Server Scripts do not get sent to any clients because… you know… they don’t need it.
LocalScripts, however, can be stolen because… you know… they need it.
ModuleScripts depend on where you put them. Put them in ServerScriptService or ServerStorage, and they won’t be stolen, put them in any other place (that does replicate instances to clients), and they can be.

Most of the replies are wrong, don’t listen to them. An exploiter can never see a server script even if it is placed in a container that the client has access to, because the bytecode of it is never replicated to the client.

They already get some kind of gibberish from LocalScripts. That’s how they get any kind of code in the first place.
Scripts don’t send anything, like, at all.

Anything and everything that is on the client is within the reach of exploiters, never build your game arond the expectation that exploiters can do this, or they can’t do that, etc… Instead, focus on molding the server side (where it really matters) of your game to only operate in it’s set conditions, doing that will minimize the impact of exploitation way more than worrying about semantics of the client ever will.