This ticket is private because it quite sensitive so please give it priority.
Earlier today I was able to join Battleye protected public server and execute custom code in my client and it was pretty easy.
Lets look at stance indicator (only because I stumbled upon this when was looking for it):
x = "10.1 * ( ((safezoneW / safezoneH) min 1.2) / 40) + (call compile (profilenamespace getvariable [""IGUI_GRID_WEAPON_X"",str ( ((safezoneX + safezoneW) - (12.4 * ( ((safezoneW / safezoneH) min 1.2) / 40)) - 0.5 * ( ((safezoneW / safezoneH) min 1.2) / 40)))]))";
What are we looking at? The dreadful "call compile", which on top of everything is done on profileNamespace variable! Don't know about you but I'm personally lost for words. How to stop hacking 101 - do not call compile a variable that can be altered by third party!
Unfortunately this is not a single instance, other pofileNamespace variables are call compiled throughout config left right and centre. Son, I'm so disappoint right now.