Well I’ve been following the simple app tutorial on here and I noticed if you use Google developer tools and inspect the JS source file you can see everything within the:
if (Meteor.isServer) {
}
Wouldn’t this be classed as a security risk? I am very knew to this and I know that there will be an easy answer to this however I am having an issue completely understanding it. Any help understanding this would be great thanks 
if you dont want something to appear on client, put it to “server” directory.
All the other files are sent to client.
As far as there’s no security-important data revealed in these files, there’s no real security risk. Your user won’t be able to change your server code by tweaking it on the client.
But the right approach is what shock mentioned. Use server and client folders to differ the code whenever needed.
Once you get through the basics and switch to package oriented architecture (which is a best practice for middle-size and big projects), you’ll be declaring where the particular project files should go in package.js files anyways.