To limit operations like IncrementExperiencePoints() to cloud code only. This will essentially take away the ability to make these calls from the bare client API. You can see a script that enforces these restrictions here - https://getbraincloud.com/apidocs/cloud-code-central/handy-cloud-code-scripts/restrictclientcalls-script/

Refer to another post below for more strategies you can apply to prevent cheating: https://forums.getbraincloud.com/topic/23/discussion-strategies-to-prevent-cheating-in-tournaments