Can exploiters fire events in a module script containing their inventory to add items?

Hello guys im trying to learn better practice for my code and I was wondering what would happen in this scenario.

Say you have a gui script on the client to buy an item. This fires a remote function to a server script to check if you can afford it.

From what i understand that check on the server script would stop an exploiter from getting the item for free.

However if the server script then called an addItem function in a module script without checking again in the module script if the player can afford it could an exploiter just fire the module script function instead?

I only have limited understanding but would that just change the clients version of the module script and not replicate to the server?

I also have another question. The server event takes the player as an argument so could an exploiter change the player to someone else on the server and make the script edit their inventory instead?

Injectors can do everything what localscripts can, so you need to implent a check to additem function instread of separating it.

Correct, module scripts do not replicate across the client/server boundary. That being said, a client also cannot see server changes to a module script’s contents either. If the server adds a function to the module, no clients will be able to see it. Any changes to the client’s module script would be local only. They could call the module script function but that would only create the instance on the client, the server and all other clients will not be able to see it.

No, exploiters cannot spoof the player argument of remote events.

thanks that makes things a lot simpler