Surely though if I’m using loadstring in the server and the only code that can be run is predefined, that prevents most exploits, right? I’m not using the typical Loadstring() but using a “Lua in Lua VM” Module in server storage, so the client shouldn’t even be able to see it. Not that the client can run loadstring, anyway, but I suppose it’s still better that way as the player doesnt know the indexes for functions.
Especially as the code being run is set by the server and can only be chosen by specific indexes, anything that isn’t a valid index is ignored.
I suppose it’s all down to how I handle the visual compiler to prevent anything that shouldn’t be run. Also, values sent as parameters will be overridden by the server if they are unusual e.g. if you try to make a walk speed be 5000 it will be clamped to 50 or some max value.