Usually, I always hear that “Everything in the Client can be changed (by an Exploiter)” and, in fact, Local Scripts, Module Script and other resources can be changed / deleted / read. However, after reading several questions in the Forum , I didn’t find anyone talking about whether an Exploiter can change, delete or read a SCRIPT (NOT LOCALSCRIPT), like a script in a tool.
Can they do something with scripts in PlayerGui, Character or inside tools?
They are free to do whatever they want with local scripts. They can edit modules too if they are in a place accessible to the client. Server scripts however, are impossible to steal.
Even if the script is inside the Client?
Local scripts, if accessible to the client, are able to be decompiled. Module scripts, if accessible to the client, are able to be decompiled. Server scripts, if accessible to the client, are not able to be decompiled.
and not even edited, right?..
As I said, server script bytecode is not sent to clients so they can’t even edit it.
Exploiters can delete any scripts (local or server) placed in their character. Keep that in mind.
If there is a need to place a script on Character, it is a good idea to add its content inside the Character’s Health Script, isn’t it? 
No, I should’ve clarified that anything an exploiter deletes in the character replicates to the server, so it can delete any instance in its character at any time. This includes scripts, values, parts and so on.
Basically do not store any valuable scripts in the character scripts. (e.g. anything that if deleted will give it an advantage over other players).
Does this include tool instances and objects that are inside tools?
If they are cloned to the player, then yes. Say your tools are kept in server storage, they can not access them there. But once you clone that tool and give it to the client, it’s all theirs to do whatever they want with.