I'm a beginner about client/server calculations and relationships (never trust the client), and I would like to know if I did or didn't get the concept right.

My weapons are calling this function inside their OnTriggerEnter2D:

[Rpc(SendTo.Server, RequireOwnership = false)]
public void TakeDamageServerRpc()
{
    //Calculate damage and stuff


    //then send to Rpc client
    TakeDamageClientRpc(1, RpcTarget.Single(OwnerClientId, RpcTargetUse.Temp));
}

This means the damage calculation (here it just sends 1) is done on the servers; afterwards, I call the function on the corresponding client side which looks like this:

[Rpc(SendTo.SpecifiedInParams)]
private void TakeDamageClientRpc(int damage, RpcParams rpcParams = default)
{
    if (state == STATE.DEAD)
        return;

    if (damage >= 1)
        state = STATE.DEAD;
}

My questions here are :

1. Is the state variable on the player safe here? (I'd say yes.)
2. Can the integer damage sent to the client be manipulated? (I'd say no.)
3. Should TakeDamageServerRpc have an entry variable, can I trust it? (I'd say no.)