The code is usually minified and heavily obfuscated but you CAN view the source code for any extension:

https://kaveh.page/snippets/chrome-extensions-source-code

Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...