We use access modifiers to limit the user access to protected/private variables, but how could the user even attempt to gain access to them?

If, for example, a developer is creating a desktop application or even a web app. How could a user go about exploiting access to variables/methods that should be protected/private but are declared public?