Use a code obfuscator. While it's true that obfuscated code can be reverse-engineered, it requires a good amount of skill and effort, providing a basic layer of protection. Tools like javascript-obfuscator can make your code harder to read and modify.

Move critical parts of your extension's functionality to a web service if possible. This way, the sensitive logic resides on your server, which you can easily secure, and the extension only interacts with the server through API calls. This setup ensures that even if someone accesses the extension's source code, they won't have access to the core functionality.