the possibility of script-insecurity is mostly because the script-language in my case is largely due to the existence of a root-accessible C FFI.
code running under a non-root user generally lacks direct FFI access, and generally has to go through a "_setugid" wrapper, though I could possibly add support for being able to mark various C functions as callable via untrusted code (vs requiring a wrapper class).
clients hacking servers is likely slightly less of an issue at present, as there is currently no way to directly send code to the server (except possibly via console commands, but these are filtered), and currently no RPC is used (RPC had generally also been seen as a potential security risk). most normal communication is via list-format messages (except partly with voxel data, which are sent mostly as flattened out byte-arrays).
Yes, the clients should never send script back to the server, that would be a basket full of snakes to keep secure..
What seems to be missing here is that it sounds like you are not sandboxing the scripting on either side and instead possibly sharing a VM environment? For our usage in a full client/server networked model each side had a unique VM instance and each one allowed access to only functionality defined for that side. What I mean is that there were basically three tables of functions which were registered with the VM's, on the client the "client and shared" tables were registered, on the server the "server and shared" were registered. As such there was no possibility of the client even knowing of the server accessible functions and even if they did get a list, they didn't have "transmission" ID's which would map a message/RPC/whatever to call those functions, it would just be an invalid and dropped message.
If I'm taking something out of context, please correct me but it sounds like a shared VM over client and server which sounds like a bad idea.
as for gameplay hacking:
the main obvious hacks are mostly, if control if player movement were moved to the client, it would be possible for a hacked client to rig up things like flying/noclip/teleporting/...
I.e. the standard hack types because most games do want to run the movement on the client in order to make it as responsive and smooth as possible. The only "absolute" solution is to say "don't do it" but that sucks because then you have all the latency issues, "too" smooth movement if the server runs as lower update rates than the client graphics updates etc. If you can get away with leaving the latency between player saying move and acting on it (or hide it, harder but possible, I pushed this solution for a prior game but ended up overruled because it wasn't coded like "normal" game objects anymore ) then that is still your best bet for non-hackable. Mostly folks go with the client controls movement though because it is basically the same as a single player game and everyone knows how to code it. Anyway:
With some work you can put in a "90%" catch the bastards system which is not impossible to hack (NOTE: teleporting can always be caught, that's easy to determine server side without much work), it just raises the bar from being something anyone that downloads Cheat Engine can do, to something someone will likely get kicked offline/banned a couple times before they figure out enough to work around it. The idea is to be sneaky but not intrusive to your code, yet add some layers of double checking things.
I'm not sure how much detail in terms of ways to catch cheaters you want but basically if they have the executable available and you have moved movement to the client, it is really your only solution. It's not perfect and you just have to deal with the fact that some percentage of cheaters will get away with it. As long as the number of cheaters is fairly low, it's worth ignoring them if 99% (hopefully 99+%) are foiled.