Hello! There are two main questions I gathered from this post:
Do you have code to share (this is Scripting Support)?
Is the game FilteringEnabled?
Right off the bat, I can tell you a few things though.
FilteringEnabled being checked should definitely stop all/most of the issues you just given to us. This may require you to adjust your code according using remote functions/events to factor in this change with how projectiles and character damage is handled to prevent exploits like these from happening again.
Also, this is a good opportunity for you to reflect on your code since people in the lobby should not be able to take damage as I assume they are not suppose to.
All games are FilteringEnabled, it isn’t an option and hasn’t been for well over a year. The property just determines whether or not to display the “The owner may need to update this game” text on the website.
Like I said earlier, if you keep players in the lobby from being damaged, exploiters would have no reason to direct attacks toward them. This could be fixed with a simple boolean, let’s call it playing, that prevents players from being attacked if the players are not playing (for which the bool value would be false).
There is no way to completely remove network ownership without having to rework replication yourself or having to deal with more lag. Best you can do is do some sanity checks on whatever the client tells the server or trust the server more than the client for things like hit detection. Aside from that, this is really the only other option…
You can try making copies of the projectile so that the server creates one that actually detects hits and the clients just make one so it can see the projectile visually. That way, regardless of who owns the projectile, the actual invisible one still belongs to the server, and users will not see laggy projectiles.