The key is provided by chrome extension code, where the code is loaded through injectScript.

It will never be impossible to deobfuscate, I guess that is the nature of js, but if it is not possible to simply use an online tool that recognizes that it has been obfuscated using the javascript-obuscator tool and deobfuscates it right away.

Hiding the key elsewhere will make it much harder, and require real effort.

Don't sure on 100%. But, suppose external key is like:
const key = await fetchKey()?
Or what you mean instead?

Well, I would like to provide a key string to be used when obfuscating (as an option) and a function that retrieves the key from within the script, again as an option. Fx.:
{ stringArrayEncodingRc4Key: 'some-key', //If the key fx. is stored as the id value of the script inserted stringArrayEncodingRc4KeyFunction: 'currentScript.attributes.id.value' }

It could also be a global variable, or fetched async from somewhere etc.:-)

Same as right now?

No a I mean in the global scope, fx. set on global/window object. The point is that the key is NOT part of the script itself, and therefore the script can not on its own be deobfuscated, but requires at least the detective task to figure out from where / how the key is obtained.