Assuming you use chrome.sidePanel API, the URL of page is chrome-extension://id/foo.html, which means it runs inside the separate OS process for this extension, i.e. it's an actual isolation. The content scripts aren't physically isolated, they run in the OS process of the website, there's just a thin membrane in V8 that can be pierced via side-channel attacks from JS.