Third party actions permissions

Can a 3rd-party action (from the marketplace) do malicious things to my repos, such as exposing secret data, token, or actively destroying files?

My worry is that for some reason, a developer goes rogue and steals data from users of the action.