I’m developing a JupyterLab extension, and right now, the code of the server part of the extension can be accessed by opening the terminal in the Lab instance and navigating to Python site-packages directory.
Is there a way to make the extension code inaccessible to the user?
Yes, there is more than one way. You could disable or customise the terminal command (on the server) so that the terminal runs with limitted privilages, but then you probably also want to do the same for the kernel (which is more work), but you could then use a remote kernel (spun on a different machine) to avoid the risk of user touching anything via the kernel.