Yes
In short, yes! Just like traditional TCP-Sockets, WebSocket transmit text- or binary frames, even if you use SSL-Enabled websockets (wss) it will be decryptet when arrived at the certain endpoint.
I do not know which framework you are using but even if you have "the feeling" of sending objects throught the socket this is not really the case.
Every object will in some way be marshalized - be it to XML, JSON or some other protocol which will end up as pure text or bytecode. This will then be read on the other endpoint and again demarshalized into an object.
A potential hacker would not only have the possibility to read the marshalized text/bytecode (e.g. using builtin-tools from his browser) but easily access javascript DOM to get the datam or even maniuplate it.