Edit: This validation is done as a pre-execution check and the txn isn’t included.
It looks like code is loaded in 7702 Step 5 of processing authorization_list where typically code for an EOA is empty or just 0xef0100 || address, but it could be MAX_CODE_SIZE if the authority is a max sized contract. 7702 spec states to fail the individual authorization and continue processing the list.
Not sure if it would be practical for clients to limit code loading here to size(0xef0100 || address), otherwise it might make sense to apply loading code costs here too.
geth, 7702 step 5