According to Google Fonts, they have served 72.3 trillion requests. This is a big privacy concern because they can track all of your requests and get a lot of information.
According to this article, a website was fined €100 for leaking IPs to Google Fonts, violating GDPR. This means that if you want to use Google Fonts, you have to have consent from the user. The only way you would not be violating this is if you self-hosted the font yourself.
This is actually really easy to do, as all of their fonts are in their Github fonts repository and most fonts are licensed under the SIL Open Font License v1.1, the Ubuntu fonts are licensed under the Ubuntu Font License v1.0, and the rest of the fonts are under an Apache 2 license.
If you want to use the Ubuntu font, you can download all of the ttf files at /ufl/ubuntu. If you self-host your own fonts, it will also only require one more request for the client to make: downloading the font. Google fonts require the user to download two files: the CSS and the font. These two requests also depend on each other, so if your client has a bad ping, it will take a while for both requests to go through. This also might not seem that bad because the requests can be cached, but Google Fonts will not cache the CSS request that your client sends; the actual font is cached, but the request is not.
If you self-host the font, it is easy for you to add it to your CSS. You can use the following CSS to do this:
@font-face {
font-family: "Ubuntu";
src: url(http://www.example.org/Ubuntu-Regular.ttf) format("truetype");
}
p {
font-family: "Ubuntu", Verdana, Tahoma;
}
Using a CDN for hosting your Javascript could have an even bigger risk. 28.5% of all websites use a Javascript CDN.
Not only can these providers do the same thing that Google Fonts does and track all the users across the web, but these providers also have access to a strong part of your website. If the platform ever experiences a hack, then they can inject any Javascript they want into your website.
If you self-host your Javascript scripts, you will take the risk of getting hacked, but that was already a risk to begin with. Self-hosting a Javascript library will barely add any latency to your site, unless it's running on a toaster. Your javascript can also be cached, so the client won't even be affected after the first page load.