The only way for a hacker to change a variable’s value is if that variable is dependent on a return, so any returned value in a module script yes, or if the variable’s value is tied to something that the client can manipulate like a client side boolValue.
But short answer, no they cannot edit regular variables, they have to be returned and able to be set by the client outside of the script.
I have seen some exploits/hackers that have been able to modify scripts (LocalScripts or any ServerScript replicated to the client), and yes they can but I believe Roblox has patched most of those, however I’m unsure.