Yes, they can.
If HTML content is not present within an email, IMail.GetBodyAsHtml wraps plain text in HTML tags, forming a proper HTML document - no script can be present in this situation.
If, however, HTML content is defined, IMail.GetBodyAsHtml returns the HTML data without any modifications (working in the same way as IMail.Html). This means that if the sender included script tags in the HTML, they are not removed.