So there was this tool I made and it fired a block into mouse.hit.p
local script and serverscript were both inside the tool but my friend suggested that i remove the serverscript from the tool and put it inside serverscript service is it true that it is more secure?
No, this is not more secure; clients cannot view or change the content of (server-side) Scripts.
However, many programmers (including myself) prefer to keep all (server-side) Scripts inside ServerScriptService for organisational purposes. I find that having all of my Scripts in the same location makes development easier in the long run. To be more specific, I have one Script with several ModuleScripts; this way, my code is both re-usable and separated into logical parts.
Each developer has their own preferred way of doing things. You should just play around with a few different styles, and use what suits you best.