Those are valid concerns and it's smart to think about those things. I had the same thoughts initially.
Using your browser developer tools, you can see what HTTP requests it makes. It's all just loading code.
Also, you can use a local copy of it to ensure you're not getting a hacked/targeted version that's different between times that you use it. I use a local copy. You can find a downloadable zip file in the releases section: https://github.com/gchq/CyberChef/releases
You could also build it from the source, but I haven't bothered to set that up.
Using your browser developer tools, you can see what HTTP requests it makes. It's all just loading code.
Also, you can use a local copy of it to ensure you're not getting a hacked/targeted version that's different between times that you use it. I use a local copy. You can find a downloadable zip file in the releases section: https://github.com/gchq/CyberChef/releases
You could also build it from the source, but I haven't bothered to set that up.