Metamask has their own method for using services in a dapp that require authority. However, I find it pretty unsafe. It took around 1 hour for me to figure out the INFURA_PROJECT_ID.
When you check the source code, you can't see the hard-coded api keys. They use environment variable instead, and provide it from the builder machine. So the key must be inside of the build files.
In Metamask's browser extension, all the magic happens in the background.html running background.js which runs like a background worker. So you can't track the network on dev-tools if you don't have background.html page opened.
But, if you open the background.html page, there you can track the network operations and find the INFURA_PROJECT_ID
You can also find it by using browser's debugging feature.
