I’m new to security in Roblox games, and have many questions, if anyone could answer these questions please do.
Only thing i can suggest is don’t have scripts in workspace and for exploiters they can kinda use saveinstance still, but its way different and it doesn’t save scripts.
but yes they can steal your assets still just not scripts, you can maybe add a anti-cheat, but who knows if that will do any good. And never add free models! Here more info about security.
No exploiter can access server sided scripts and manipulate them unless there’s some sort of loophole or backdoor.
I mean for exploiting, there really is no limit. Depending on how venerable and how secure your game is exploiters can quite literally do nothing or ruin the entire game in a second.
I believe exploiters can use Dex which allows them to look but not edit in Workspace, SeverScriptService, StarterPlayerScripts, StarterGui, Replicated Storage, & lighting. I believe they cannot access ServerStorage or Tools. However, any edit they make is only client sided.
I mean I know that roblox is cracking down on exploiters with multiple anti-exploits in each update however I believe mobile exploiting is still booming. I mean it depends on what you mean by “simple” but any exploiter can just launch InfiniteYield and fly around your map unless you have an Anti-Cheat set in place.
All in all, exploiters scripts are usually only to manipulate certain things and not ruin your entire game such as boosting their coins or teleportation. If an exploiter has the ability to spawn a Demolition Truck, then that means there’s a backdoor in your game somewhere. You shouldn’t worry too much! 
thank you, this was exactly what i was looking for, just one question
if they can access these can they see inside of things such as server scripts and read the code? or simply see what the name of the script is, essentially what we can see in explorer?
Exploiters can only see the name and instance properties of server scripts, they cannot see the source code or bytecode (so decompilers will not work on them).
However, they can see the bytecode of ModuleScripts, but only as long as they are not in ServerStorage or ServerScriptService, whose contents can’t be seen by clients.
@Szerpllx is wrong about a couple things, Dex cannot see anything inside of ServerStorage or ServerScriptService. It can see everywhere else, and it can also make edits, however the edits won’t replicate to the server so they can’t change the game for others. (One exception: they can sometimes delete any instance under their character, even things like scripts, unless Workspace.RejectCharacterDeletions is set to Enabled, which should eventually become the default.)
Generally a client will be able to decompile the bytecode of any LocalScript, ModuleScript, or RunContext Client script that they can see. “See” means that it has been replicated to them at all (parenting something to nil can’t hide it from exploiters). As long as something never leaves ServerStorage or ServerScriptService, it hasn’t been replicated to any clients.
Bytecode is basically a compiled script, it doesn’t have local variable names but a decompiler can sometimes turn it back into some sort of code that works the same way, although it won’t necessarily always be the exact same as the code that you originally wrote.
Oops, sorry! Yeah, your right they cannot access ServerStorage or ServerScriptService. However, like I was saying, any edit on scripts or parts are strictly client sided and should not affect other players(?).
(ugh, wrong reply, trying again)
don’t worry, this was addressed: