The source is part of the package, at worst minified, obfuscated, pulling code from external sources. You can inspect it yourself by unpacking the extension installation package and browsing the JavaScript.

So what you read every line of JavaScript? Or you have some tool for that? I personally can’t imagine catching every potential issue, especially something sneaky, from source.