From what I understand of how Roblox works, the gui prompt (with the buttons) is written in Lua and is part of CoreGUI (which is what the exploiters overload and crash) but clicking the button does not actually run any lua code.
There is another script inside the client itself (I believe in C++) which actually handles purchases. It just detects if the mouse is over the purchase button when you click it and if so it will complete the purchase.
The C++ code however does not check for the Lua gui so if that is disabled somehow the purchase can still go through. It just assumes the gui is displayed properly.