I'm wondering though, if i use this plugin does it mean that chipmixer will be able to access my private keys on electrum when they need it(since deposit is done through the plugin, right?)
Plugin source code is open and ready to inspect. ChipMixer doesn't read or send your privkeys anywhere. When you click "Deposit", plugin prefills send form with deposit address and payment comment. There is no hidden action - sending is the same as any other Electrum send.
when i withdraw it's basically just importing private keys into a separate wallet, correct? Isn't sweeping it more secure since there is always a risk of these private keys being compromised and when they get spent nobody knows who to blame?
ChipMixer's default is to give the most privacy, but allow to take less.
Importing private key does not leave a trace on blockchain so it is more private. Sweeping is more secure.