I am making a website,and i don't want users to execute functions in the script from the javascript console.I figured out i can put all of the code into a block scope and declare everything with let.Is this bad practice?
It's normal to want to limit the scope of any symbol (variable, function) to prevent unintended use. What you make global or as part of module exports is the 'published interface', anything else is likely to be private.
Immediately-invoked function expressions (IIFE) are a typical way to achieve this.