That’s a good question, with quite a general answer. Browser code (in Forms and Modules) is always untrusted, because the user can manipulate their browser to do whatever they want. Server code (in Server Modules) is never seen by the user, so they cannot modify it. It is trusted.
So if code in the browser is choosing something like a date range, a sufficiently motivated user could theoretically modify that date range, yes. I would do something like pass the requested start and end dates to a server function, which would then validate the range and return the results in the validated range (or perhaps raise an Exception).
There’s one extra thing to think about in your case - the local timezone of the user. The only way you can possibly know the timezone of the user is by querying their browser. That’s how anvil.tz.tzlocal works, and why it will only work in code running on the browser (on the server it always returns UTC). This means that the user has complete control over which timezone they report anyway, so you don’t lose anything security-wise by doing timezone calculations in the browser code.
Hope that helps!