For the sake of everyone reading this in the future, I want to clarify that it is secure to keep scripts in Workspace. There is a lot of false information out there that the source of server scripts get sent to the client, but that is not correct. Kampfkarren correctly explains it in this reply: https://devforum.roblox.com/t/best-method-of-combating-place-stealer-exploits/100846/4
As well as here: https://devforum.roblox.com/t/best-method-of-combating-place-stealer-exploits/100846/9
Having said that, everything else in your reply is still very helpful - it’s just a common misconception out there that is inconveniencing a lot of developers when they could be focused on other security measures.