Yes, you are exactly right. Sending in a value to an RPC and then just having the server accept that value will make your game prone to cheating. You have to remember that the client is capable of manipulating anything that the client has control of. In fact it is possible the client that is connected to your game might not even be UE4 (this is an extreme case, but is not impossible).
Here is an example to think about. Let’s say that you are programming an attack action for your game where your player character swings a sword at an opponent.
A bad way to handle this would be to have the client swing the sword and see if it hits the enemy. Then if it does, send an RPC to update the health of the enemy. While this might give you the result you desire, it would be easy to cheat. I would hack this by just changing the number that is sent for the health in the RPC call to either a really large number or zero and then your game would be broken.
A better way to handle this would be to send an RPC call from the client to the server when the client presses the attack key. Then handle all of the collision checking and health deducting on the server side. If you do it this way, it is much harder for a player to cheat, since all they can cheat with is a key press, which is something they were allowed to do anyway (unless there are cooldowns, but you can check for that on the server when you validate their RPC request).
When it comes to RPC’s in multiplayer games, think of them as requests to ASK the server to do something, instead of commands to tell the server what to do.