Yes this is fixed, PromptPurchase() must now be called from the server when being used for ANY limiteds.
As to why PromptPurchase() can be fired from the client: probably because for the majority of transactions it’s unnecessary to go from Client → Game Server → the Roblox server that handles item purchases. The game server is an extra stop if the user is initiating the request to buy something.
Here is the post where they made the update to fix the exploit: