I have a local script with several variables, I was wondering if exploiters have the capacity to access/modify variables in local scripts?
Yes. Anything they have access to - replicated storage, local scripts - they can change for themselves. That includes the contents of local scripts.
An exploiter can accesses them and I think edit them. As a general rule never trust the client. Try to run all of your important code from the server as the client doesn’t have access to that. Another useful tip is that you should try and avoid the client sending information to the server as it could have been tampered with. But the server sending information to the client is fine. Here is a topic all about exploiting: Exploiting Explained.
Correction, always assume the requests the client are sending have been tampered with. You must also know that you should not get the server to do unnecessary stuff like animating, get the clients to do that instead.
Also to your question, yes, the “client” is a computer, and anything you have on the client (local scripts, for instance) is on their actual computer, which means that they can access and change the variables - granted they have the right tools to do so.
You can handle animations from the server. The only reason why it’s more preferred for animations to be done on the client is because the client has network ownership over their character - as such, animation playback also replicates via the Transform property of Motor6Ds. I wouldn’t say that server-based animating is unnecessary, but rather should be kept to a minimum.
Sorry to nitpick, but the client is the device. Just want to clarify that in case it’s believed that the client only refers to a computer. Anything that the client can see (frontend) can be accessed and modified. This includes LocalScripts and geometry data (parts in client-accessible locations).
“Computer” can be used for all devices - including phone and personal computers and desktops, I thought computer would be a better term for it, if not then I am sorry.