Migration plugins have access to everything. They read your whole database and all your files. A hacker doesn't just want to break your site; they want to copy your database so they can sell the login credentials or credit card data on the dark web.
No. If the source of the code is not the official developer (ServMask/WordPress.org), the code has been handled by a third party. There is no guarantee it hasn't been injected with malicious code, even if your friend didn't see any visible errors.
Q: Are there alternative migration plugins available? A: Yes, there are several alternative migration plugins available, including Duplicator, WPvivid Backup, and UpdraftPlus.