Exposed custom state is secure in plugin

I’m creating a plugin that deals with user credits and it needs to be formatted, I’m using exposed states in the plugin and then I’ll forward the formatted value via an API, I’d like to know if executing this this way poses any risk for the user to edit this value on the client side, since the custom states are on the client side, and what would be a safe way to execute this?

when you send the value to the api, is it GET or POST? POST is always secure.

In this case, I will get the formatted value that is in the custom states, the value will be obtained through a workflow, is there a chance for the client to change it?

No that’s not possible.