Rough explanation:

Depends on the implementation, but the state of the art for decades (and the correct way to do this) is to first transform your password with a one-way function into another form (i.e., cryptographically hash the password), and then send this value to the server.

The server only knows this value in its database, and compares the value you send with what it knows. If they match, you log in.

Like I said, this is a one way function, so there is no (computationally feasible) way to convert it back to your password even if somebody captures it on the way. Similarly, the server (e.g., GOG) does not know what your actual password is.

If the hash scheme used has known weaknesses, then an attacker with sufficient computational resources can do the conversion though. So this scheme is as strong as the cryptographic hash function used, and whether it is used properly. Omitting the details here...

EDIT: A few general additions:

- There are multiple layers of security that indirectly affect your security in this case of course. For example, you communicate with GOG over a secure TLS channel, so nothing is transmitted in plain text anyway.

- There are still ways to lose your password hash. For example, GOG's database could get compromised and hashes stolen. Then the attackers can potentially crack your pasword hash and get the original password. There is nothing you can do about this. Hence it is a good idea to pick a unique pass for each service you use. (removed the salting stuff since ninja'd with a better explanation below!)

- In your threat scenario there are other ways other users can steal your password. For example, are you sure they cannot install a keylogger on the machine?