Your point 1 is Roblox’s responsibility, that I agree with. However, with #2, not if the API is called from within a vLua VM. The VM itself, in general, is a hard nut to crack. So having the sensitive code run in a VM is the best option.
Your point 1 is Roblox’s responsibility, that I agree with. However, with #2, not if the API is called from within a vLua VM. The VM itself, in general, is a hard nut to crack. So having the sensitive code run in a VM is the best option.