_G is not replicated, on client _G shares between all local scripts and on the server it’s shared between server scripts, it works similar to module scripts except that you don’t have to require it.
It is generally not recommended to use _G, not due safety issues (it’s perfectly fine to use, it’s secure) but because you can easily make mistakes in it.
It’s fine to have things like cash, level, player stats, etc in _G but the issue is that you can easily overwrite tables by accident unlike in modules.
When using modules you have all your variables sorted, you can see which variables are inside that module and it’s more easy to refer to one because you know it’s there/exists and if you want to use the same name for a variable for example, you can re-use that same name in a secondary module.
When using _G, all of your variables and tables are all clumped together and unsorted pretty much, this is not a big issue but it can lead to confusion and accidental overwriting/messing up.
_G is not bad and it works almost the same as module scripts minus having to require() it.
It’s not slow, it does not have any security issues for as far as I know or whatsoever.
A lot of scripters don’t like _G and will likely discourage you to use it, but really the only problem with it is that variables are just clumped and put together unsorted so you may find yourself accidentally overwriting something you did not mean to, etc but this can be a little avoided if you can find yourself a way to keep track of which variables are used for what, etc, although this will be challenging, you’d have to find a way so you can see all variables in _G, _G does not (unlike modules) show what variables are inside so you sometimes end up guessing what variable you have to refer to or memorize the names, you’ll may find yourself looking through each script to see which script uses/made what variable, etc.
Tl;dr: Using _G is almost the same as using module scripts, it’s not bad, not slow, does not have security issues and it’s not replicated across server-client boundaries, most scripters just do not recommend using it because it’s clumped together and unsorted and you end up looking through each script to see which one made what variable, otherwise you may accidentally overwrite a already existing variable.