[raesene6]

To be honest I'm a external security assessor/pentester and I've not had much pushback from clients on this. That said I don't always get visibility of whether they implement our recommendations or not :)

To me, it's not really a debatable point that loading JS from a source you don't control implies trust in that source and therefore a risk that if they are compromised it affects your site.

Whether that risk is ok for a business depends on a number of factors like :-

- How trustworthy are the sources they're loading from? - What reviews have they completed on the security of those sources? - Do they have contracts in place with those sources that cover the requirement for security?