Don’t worry about attempting to hide or obfuscate your client-sided logic. It is fundamentally impossible to completely hide it because it exists on the clients machine, which they have full control of. Obfuscating or hiding your logic won’t provide any security benefits, and is pretty redundant because it won’t prevent a dedicated malicious actor.
Focus on implementing a correct client/server modal. Validate all information from the client and have the server take an authoritative stance. It sounds like you are relying on information sent from the client. This is a big no, never trust the client. It is not a trusted source, as, yes, data can be manipulated on the client. A prime example would be a graphical shop on the client. A secure setup would be the server being informed you want to purchase a specific product, the server finding the price of the product and deducting that from the clients wallet, and awarding the item. An insecure setup would be the client providing the cost and the server acting upon it (the client can manipulate the cost value, and therefore the server will act upon the value provided by the client, E.g. 0).
-
Everything, outside of instances under ServerScriptService and ServerStorage, is visible to the client. A script instance under workspace is visible, albeit it is useless because bytecode isn’t replicated to the client.
-
Yes, this is correct.
-
Yes, this is correct.
You can find information here: Exploiting Explained.