Apologies because I am very new to this.
(1) Specifically, I want to know which containers are only visible and manipulable by the server, which ones can be viewed but not changed by clients, and which ones can be changed by clients (if any) without remote events.
My understanding is that:
Positional changes from BodyMovers and animations are replicated regardless
Workspace: visible to clients, local changes not replicated Lighting: visible to clients, local changes not replicated ServerStorage: not visible to clients ServerScriptStorage: not visible to clients SoundService: visible to clients, local changes not replicated
I am not sure about:
Players ReplicatedStorage ReplicatedFirst StarterGui, StarterPack, StarterPlayer
(2) Also, unrelated to the original question, what prevents people from injecting local scripts that fire remote events?
Here is my understanding of this, though there are likely minor mistakes in the subtle things.
When FilteringEnabled is off, anything that the client can read (and that the server can write), the client can set..Turning on FilteringEnabled is recommended.
When FilteringEnabled is on, anything that the client can read, the client can write to, but the effect will not be replicated to either the server nor other clients -- it will only be visible to the current client.
For replicated objects, any change the server makes will be listened to by all clients (unless the client "localized" an object by moving it into an un-replicated space like the CurrentCamera)
Physics is distributed. I'm not certain whether or not changes to physics properties themselves will be replicated, but it's likely that, at least while the local player is nearby, the object will move as the LocalScript commands.
ServerStorage
and ServerScriptService
are not replicated to clients -- they cannot be read or written to by LocalScripts.
ReplicatedFirst
and ReplicatedStorage
are replicated to clients -- they can be read by LocalScripts.
StarterGui
is replicated. The Server and Client both can read it.
If FE is on, PlayerGui
is not visible to the server. Similarly, the client can only see the local PlayerGui (The PlayerGui object itself will exist, but it will be empty).
If FE is off, PlayerGui
is replicated fully.
While injecting scripts is not easy, yes, they would be able to invoke server events.
If you're designing your game to be defensive and secure, you should ensure that all RemoteEvents/RemoteFunctions are requests and not commands that the server processes -- it shouldn't do anything that it's not supposed to.
For example, "award weapon" should check that you have enough money before proceeding (not just trust that the UI won't call it when you don't have enough), etc.
This isn't really different from the real world where companies have to give access to their systems through apps or webpages but can't let users do anything they aren't supposed to.