ReplicatedStorage’s contents are replicated to the client. Required or not, clients can see it. An exploiter could even just require it themselves and save the overhead of needing to deconstruct the byte code to get the raw source of the module.
Depending on what you’re doing, if you’re keen on hiding the ModuleScript’s source code from clients, just make put the ModuleScript in a server service and have remotes facilitate communication between the client and the server.
If you use a RemoteFunction to require a remote, the receiving environment will return a nil value. It returns nil because the ModuleScript is now using the environment of the script that required it, not because “byte code isn’t sent through remotes”.
A server requiring the ModuleScript means the returned instance is server-sided, sending it through the remote doesn’t work because the client doesn’t have access to this instance. The same goes vice versa.
Some games just have the script instances, they don’t have the code itself. If I had to guess:
- A developer leaked content
- The source was stolen via a security vulnerability
- Exploits that existed before FilteringEnabled (though I doubt even this)
- A security fault or one of the developer