Okay so a very basic, high level overview is:
Server script handles the data store stuff. This includes:
- initialising the data for new players
- retrieving stored data for returning players
- saving data for players in game
That all makes sure that players can continue where they left off from last time they played.
The server also needs to handle actually changing the data in play sessions as well. For example a player may touch a coin in the game and then receive some currency.
These in session updates usually happen frequently enough to break the limits on data store requests so a caching system is required. Examples of these are DataStore2 and ProfileService.
You’ve mentioned security issues so I’ll state a key concept that needs to be applied. The server should make the final decision on whether or not any player data should be changed and it has to account for the player being able to tell the server anything at all, true or false.