Hiding your localscript isn’t the way to go. Indeed it may prevent exploiters from finding your script by name, but there are plenty of other ways they can use, such as hooking FireServer, getting the calling env with getfenv(2) and from that point obtaining the script.
I would also like to add to the “don’t make a clientsided anti-exploit” discussion. In my opinion, one should feel free to do that if they want to, but don’t make it your main line of defense, but rather an extra layer which isn’t that significant. I’ve seen some very decent clientsided anti exploit, so it’s completly possible to make one if you know what you’re doing. But again, focus mainly on the server!