Exploiters can not modify server code whatsoever, or remove server scripts so they stop running. But you should, for organization reasons, keep your scripts in ServerScriptService. As long as a ServerScript is in a runtime environment, the client can not tamper with it and it will run.
Although its a lot easier to just use local scripts than confusing with remotes I would suggest doing so since if there are exploiters they can mess your game up real bad if its mainly programmed on the client.
Stuff like money, power ups and tools should mainly be sorted and handled on the client to avoid them being taken advantage of. Local scripts are fine for programming interactive gui since there’s not a lot an exploiter can do changing TweenPosition etc.