Apparently almost everything except cosmetic effects such as gun flashes needs to be spawned on the server to prevent cheating.
However there are still things that I don’t understand at a logical level
Basically making crucial things happen on server functions instead of client helps to prevent cheating. But if cheater can call a function on client then why can he call a function marked Server? E.g. He can call a function marked server give health which gives health to player , basically he’s calling it because its possible to call it so he isnt doing anything illegal directly.
Why would you mark anything crucial as Server function if the client (Hacker) can call it anyway? **
Checking authority does safeguard things but without it what do server only functions achieve in terms of security?
EDIT: as of cosmetic effects one can even draw a radar or overlay indicating enemy player positions (Known as aim botting) and technically he isn’t violating any server rules since client can do anything on its machine, is using 3rd party anti cheat systems like punkbuster the only way to stop those? or are there other things