Hello, I do know that the PlayerCharacter can bypass the FE system. Any exploiter can change their speed as simple as this:
game.Players.LocalPlayer.Character.Humanoid.Walkspeed = 100
This part I know, but I have another question:
Is there any exceptions to this rule? Are tools able to also bypass FE? Are players able to spawn random tools in their Character and mess with the game?
Players can change, copy, download, anything on their client. What they do locally does not replicate on the server, for the exception of the character, so changing walkspeed, jumppower, and things like this on the client change the way the humanoid moves and is seen by everyone in the server. Even if the server can't detect when those values are changed on the client. So for tools, what is done on the client (like creating a tool client-side) does not show on the server. For the server it will be like nothing happened, HOWEVER, exploiters are able to run animations, and those will be seen by everyone in the server. So in short, character modifications applied on the client are shown on the server. To do anything else exploiters need to use remoteevents/remotefunctions (this is why remoteevent security is important). Even if they can just modify the character, that allows them to create a lot of damage. For example they can fling everyone by making their character spin very fast. Or they can become invisible. Or stuff like this.