Most deuobfuscators if not all beautify the code, and that’s pretty much all they do, they aren’t magically getting the variables and functions which is the important thing, exploiters still have to resolve the unreadable code.
The only way they could get the full source is if the obfuscator that the person used has an deobfuscate function, that resolves everything, then that obfuscator is pretty much useless, and they are many other options out there.