Let's say I write a game in C++ and part of the game tracks the location of every player in memory.

For example some vector of Positions:
struct Position {
  float x;
  float y;
}

I have two questions.

1. My assumption is that people develop hacking tools by observing the game memory and being able to find and reverse-engineer the meaning of the values in memory. Thus, games that hold the full state in memory (as opposed to requiring some server to tell you info only when it's relevant) are significantly easier to hack. Is that correct?
2. If the above is right, could you combat this by basically patching every week shuffling your code around in ways that are logically equivalent, but yield different data structures in memory?
Like, just reorder the fields in your struct to:
struct Position {
  float y;
  float x;
}

You have no choice but to have some local model representation of your game in your client's memory. If you follow the client server architecture, the client should only use its data as a way to predict what is going to happen in the future so that it can be updated as fast as possible. As such, both the client and the server run the simulation of the game, but, the final state is decided by the server by broadcasting the lastest game state changes to your clients. Then, your client can either change nothing if its local representation is matching what the server told it, or it can override its data if it 'sailed' too far away from the server's state. That way, whatever changes is donne to your client's memory state doesn't matter because it will always be steered back on the right direction.

If the game executes deterministically (let's assume mine is) it seems much simpler to me to keep the full state and only communicate player inputs. The only downside I can think of is the possibility of memory hacking, which is why I was wondering if 2 above was a valid mitigation tactic.

Yes, it's easy for cheaters to read any data from your games memory. That's why it's much safer to use a client-server-architecture for multplayer games, process the simulation on the server side and only send data to the client when it's absolutely necesssary and would be shown anyway. You don't want the client to have information about the positions of opponents/npc which are outside the screen or behind walls.

1. Yes
2. No

To elaborate a little more, patching might delay the next hacking attempt but eventually a general solution will be found if it's interesting enough. It's also not a workable solution. There's just no other option than to assume all local data is unsafe.