It's not similar to a binary file, since re a binary file is a pain in the ass and looking at JS with some obfuscation is much easier.

Your example is valid, but it's like asking "how can I know that my iPhone doesn't record me while I'm sleeping?"

Forgive me if I’m just being naive but couldn’t you look at the source from the browser dev tools?

All logic is clientside in the downloaded JS and HTML. After the initial page load, it should send nothing to the backend of the website, only API calls to chatGPT API itself. There is no actual backend with logic, it only serves static HTML+JS+assets.

Theoretically, you should be able to block any outgoing connections to the website domain (after it loads all necessary HTML and JS), and it should still work fine. Saying "theoretically" because it might attempt delay-loading some static assets, but you get the idea. No idea how this specific website functions, as I haven't looked deep into it yet, but that's the principle behind "static websites" like this one.

This is a static website, no backend.