Currently, scripts are allowed to use Third Party Modules, if the requested module is either public or owned by the game owner/group.
This allows viruses to find their way into games, Script Injection permission did reduce the risk of it happening, but the issue can still spread.
My possible solution to this is to change the way permissions around third party modules work, maybe a new property that makes Require follow the same way as InsertService, where the owner has to actually have possession of said script.
Or, go nuclear and just completely remove support require(id) entirely, it has more problems than advantages. (Though I don’t think Roblox want to do that)
I suggest also adding a permission setting to make sure older scripts that relied on require(id) don’t break.