A few months ago, most of my games broke because of filtering enabled. One of the things that broke was the GUI's as I had used server-sided scripts in them which didn't work when filtering enabled was on. After some research, I figured this out and started development on a new game where I made sure everything worked with filtering enabled. By habit, I accidentally put a server-sided script inside a GUI instead of a local script. But to my great surprise, it ran. The script ran and did exactly what I wanted it to do. After that, I immediately checked filtering enabled and it was turned on. How could this happen?
FE (the abbreviation for FilteringEnabled) is, basically, your game's layer of security. FE prevents most changes on the client from replicating to the server (changes that can replicate are usually related to teleporting a player to another position from the client, which is why such exploits are effective). Before FE existed, it was possible for server scripts to make changes to GUIs by accessing the PlayerGui. Server scripts can no longer do this because of FE (unless a GUI was inserted into the PlayerGui from the server, but then the server can only access that GUI and no other GUI). If you try to access something in the PlayerGui that the server did not initially put in the PlayerGui, you will get an error saying that x is not a valid member of PlayerGui
.
If your server scripts are able to access the PlayerGui's contents, then either 1 of 2 things is happening:
GUIs should be handled through LocalScripts, with remote events and functions communicating to the server (if needed). This is because LocalScripts run their code on the client, where the PlayerGui's contents can be accessed (the contents are usually client-side only).