When you publish with Expo, your JS is minified and bundled up into a single file, so its not very easy to read or modify, but it is still JS.
Unlist is just like an unlisted YouTube video. Someone who knows the URL to your app can access it by going there, but that URL won’t be listed anywhere.
If your app is public, then it will be listed on your developer profile and it can be found by searching on https://expo.io/
The way that your JS code is distributed is the same in both cases; those distinctions are just about whether people can find the URL of your app.
Does this answer your question?