Updates run for themes and plugins only if there is a registered update server. If you have a custom (child) theme, or a plugin not hosted on wordpress.org and without a custom update mechanism there will be no updates.
In all other cases: Yes, you are right, the changes could be overwritten.
But this is not the only problem. Editing files per back-end may have side effects:
- If you have an error in the edited code the whole back-end might become inaccessible, so you couldn’t even fix that error.
- There is no version control, changes are not reversible, and if other people aren’t aware of those changes they might overwrite what you have done with their updates per FTP or SSH.
I recommend a simple mu-plugin with just one line of code:
! defined( 'DISALLOW_FILE_EDIT' ) and define( 'DISALLOW_FILE_EDIT', TRUE );
This will disable the file editor.
@BarryCarlyon recommends the wp-config.php for this. That’s a valid point; I prefer a mu-plugin because it easier to see in back-end why something doesn’t work when there is a dedicated plugin.