What you’re describing is the difference between server-authoritative game engines and client-authoritative ones. Server-authoritative is always the preference from a security and revenue standpoint, but it isn’t technically possible for some game types. Most free-to-play mobile games, for example, are fully server-authoritative because their real-time elements are minimal so it’s straightforward to do. Server-authoritativeness is no guarantee of security though. Cheaters in those games still exist because you can spoof server traffic, execute man-in-the-middle attacks, repeat API calls, decode protobuf packets, etc. It’s a lot harder to cheat, but still possible.
Server-authoritative games are more difficult to write however, and not all game teams have the expertise and experience to do it. It also necessarily creates some limits on game design which a lot of teams aren’t willing to accept. There’s a lot more nuance here than can be covered in a BBS post, but the short answer is that you’re right, it’s better, but it’s not always practical.
