Can they only change tables and stuff like that or can they change functions???
Yes, they can change functions or prevent them from running at all. They can change anything visible to the client locally, but the changes won’t be visible to the server.
would I be able to pass a function in a module script from the server to the client using remote events so I can call the function on the client?
you’d be better off making the module script visible to the client and have the function be called from there after an OnClientEvent, exploiters can remove client connections to remotes extremely easily if you’re wanting to use it for security reasons
but then an exploiter can edit the content of the module script
as @RoBoPoJu said, the changes an exploiter makes to the module will not replicate anywhere else (i.e only them will view the module as being different, the other clients will not), editing a module locally and removing the function achieves effectively the same effect as nullifying the RemotEvent’s client connection in your use case, making the method redundant, if your game needs to make sure the client activates the function, you’re doing something wrong with your security
So? Exploiters can litterly make the module and run it on their client. Anyways if they change the module it won’t replicate to anyone else or the server.