Case:
A project that performs client sided many http requests encrypts and decrypts strings/json formats before being sent out or recieved.
The gameinstance class holds the variable for the encryptio/decryption keys so they can be accessed from any class directly for decryption and encryption within the engine on the client.
How safe is the project with such architecture? Where are the weak points? What can be improved? How easy is data accessible in general by reverse engineering or datamining?
If your game is multiplayer, keep the keys safe on dedicated server only, and use your API from dedicated server.
If your game is single player with for example a leaderboards API, it cannot be really secured. Best you can do is implement various mitigation techniques.
For example when submitting a run, you can send various game data along, which you can then review later for validation.
Also here are some points you can try to make cracking for difficult :
Not using HTTP, as it is relatively easy to hook & figure out. Instead you can use raw sockets with end-to-end encryption.
Make sure all the critical encryption components (functions and variables) are not marked with UPROPERTY/UFUNCTION and not in UCLASSES (and obviously not in blueprints). UE’s reflection system is relatively easy to read even in shipping builds.
Make sure you don’t ship PDB files. Those contain LOTS of information about everything in your C++ code.
Integrating an anti-cheat (or some sort of code obfuscator) should help making things more difficult.