Please explain why you think a SQL Server is needed for this, any more so than the ACE.
They are both databases that can be hacked with the correct internal knowledge or exploits.
Even Microsoft can't keep their user's data safe on SQL Server.
Midnight Blizzard for one.

With Microsoft Access, any user can copy/delete records from an Access back end. They can even copy the Access back end file itself. With SQL Server, permissions are enforced on the server level. Access permissions on SQL Server are usually stored on the server itself, and only users with owner or admin rights can edit those permissions directly. Password cracking software does exist, but that highlights the importance of using a strong password that the computer can’t easily guess.

You are correct in that nothing is ever 100% hack proof. Anybody who knows what they’re doing can still get in. Even using SQL Server Authentication stores your password in the ODBC Connection String if you link tables using a DSN, but a strong password, never sharing that password with others, and keeping your data properly secured will make it significantly more difficult. Plus, Rick himself always says sensitive data or many simultaneous users need to use SQL Server for their back end.

If you use SQL Server Authentication, it’s an extra login that hackers would have to worry about, so if they can get into your Windows account, it doesn’t let them access your server, but it stores your login credentials directly in the connection string, so you do have to pick your battles a little bit. If you use Windows Authentication, you should generally be fine as long as you don’t share your Windows credentials.

Any user that can get to the Navigation Pane, that's true. You do keep non-admin users from that, right?
Also, expose any "secure" data from SQL Server in a form or report, and a photo can be taken.
Heck, I've even used pencil and paper to capture "sensitive" data.
As to the BE files, I understand they can be encrypted. So, a user copies it and then what?

Anyone (even legitimate users) absolutely can do any of that stuff. I’m the only one that uses my database and I don’t let anyone else mess with the data.

I should clarify that as far as copying Access BE files, a user can copy it and use any information stored in it to do whatever they want. I’ve read numerous stories of security breaches regarding credit card fraud or identity theft because end users had virtually unlimited read/write access to the back end file.

With that being said, I always make sure to lock my computer whenever I’m away from it. The computer itself is secured with a password that only I have access to with a local Windows account. However, it is true that all the security in the world does not do any good if you leave your computer open and vulnerable, in the (unlikely but still possible) event someone else got their hands on it.

Good discussion here. The key thing to understand is that this isn't about "hack proof vs not hack proof" because nothing is. It's about layers of security and risk reduction.

With an Access (ACE) back end, your entire database is a file. If someone can get to that file, they can copy it, take it offline, and attempt to crack it or read it with other tools. Even with encryption, you're still relying on file-level security. Once the file is in someone else's hands, your control is basically gone.

With SQL Server, the data never leaves the server. Users connect to it, but they don't get a copy of the database. Security is enforced at the server level with logins, roles, and permissions. You can control exactly who can see which tables, which rows, even which columns. You also get auditing, better encryption options, and the ability to lock things down in ways ACE simply doesn't support.

Thomas is absolutely right that if someone can see the data on the screen, they can capture it. That's true of any system. But that's a different problem (endpoint/user behavior) than database security.

So the short version is:
Access security is file-based.
SQL Server security is server-based.

For non-sensitive data and small setups, Access is fine. But for things like credit cards, medical info, or anything regulated, SQL Server (or another server-based system) is the safer and more appropriate choice.