processJSWithSrc vs malicious server?

[canning-duck]

Hello,

As far as i understand, processJSWithSrc() fetches the source URL from the server to verify the code. How do we know that the same exact script will be loaded in the page? Theorically, a malicious server could provide two different versions.