I just find that hilarious that the ones you happen to mention are also some of the least effective methods out there. Fake remotes will be found and shared, encrypting doesn’t matter as clients don’t look at your code they look at what your code is doing, and WalkSpeed doesn’t actually replicate the number if changed on the client - you have to calculate the velocity manually.
This game of cat and mouse is relentless and we have very little tools.
Anyways after further research, I found this thread from 2018 saying how you can’t access CoreGUI from a local script, but you were able to detect via a workaround if a GUI was added to the CoreGui. I’m not entirely sure if it’s still valid but definitely check the post out and read through the thread. It contains a lot of arguments on how you shouldn’t be relying on this method.
It seems to me like they might be using this type of method or similar to detect changes in CoreGui left by certain exploits. Again this method is not viable for anti-exploit as many exploits just get around it either way, and exploiters can even just turn off your client-side checks.