I know that exploiters can copy anything that has been replicated to the client (which does not include instances in ServerScriptsService and ServerStorage), and can change variables/functions in LocalScripts My questions are:
Would they be able to modify the LocalScripts and ModuleScripts if they were deleted? (for instance, if i were to create a game which only relies on connections)
Would they be able to modify ModuleScripts? (assume that they were required by the client)
Would they be able to copy all instances that are in workspace? (as in like, when the server starts/when the game is published)
I also want to make it a little clearer that, even if there are any server Scripts accessible to the client, clients don’t get the bytecode of those still, therefore server Scripts are always impossible to decompile.
They can get the connections of an event using getconnections(), and if you are saying “deleted” as in they are parented to nil, you’re out of luck because exploiters generally have a getnilinstances() method equipped.
Clients get module bytecode because modules are also able to be required by clients. If your module will only ever be used on the server side then hide it in ServerScriptService. If an exploiter edits a module it will only be their copy since there would be a separate copy of the module for every machine.
They can use saveinstance() to steal geometry in the game.