What steps will reproduce the problem?
(1) Create a service worker which intercepts HTTP requests for scripts and responds with a custom code. Create a web page which loads embeds the service worker
(2) Create an extension, add a content script which further injects a script in all web pages (a remote script like https://code.jquery.com/jquery-3.3.1.min.js or a web accessible resource of the extension bundle). Load the extension in developer mode.
(3) Load the web page in a new browser tab.



What is the expected output?

As an extension  is privileged compared to web application, we were expecting that a service worker would not be able to modify scripts (or any other content) injected by an extension content script. 
For instance, suppose an Adblocker is injecting a script in the page DOM to remove ads, if the page can modify this script, then it prevents the extension from working properly. 



What do you see instead?

The service worker can intercept and modify scripts injected by an extension content script.



Please provide any additional information below.

This also applies to web accessible resources injected in web pages by content scripts. 
We found a similar issue on Firefox. However, web accessible resources are not routed to service workers.