Say I was making a character creator/customiser, where the player can choose their hair, hats, clothing etc. on the client/localscript. If I were to call a RemoteFunction to check if they had a certain gamepass (for example one which unlocks exclusive hats), I would return either true or false into a variable. My question is, would the client be able to change this variable after it's been returned, (so false to true), so they can access the exclusive items without having the gamepass?
Secondly, what would be the most ideal place to store experience and currency on the server, so it's not accessible or able to be changed by the client, (e.g in Players Service, Repstorage, workspace etc.)?
Thanks.
To store things on the server side you use ServerStorage and ServerScriptService, ServerStorage is simply for storage but ServerScriptService will also execute the scripts in there.
Now about exploiting. They will be able to still obtain the gamepass hat if you're doing it all in a localscript, if you want them to not obtain the gamepass hat then do it on the server side, otherwise you can't protect yourself from exploiting.