You can set a list of fonts to use and the browser will keep trying until it finds one that is installed. Usually the last one in your list is serif or sans-serif that always works.
That's true, but my comment goes further than that. Webfonts require network requests if they aren't available locally. It might make sense to scan the available font list for similar fonts before initiating a download.
Couldn't a browser do that without necessarily revealing the list of fonts?
if (!isFontAvailable(font)) {
downloadFont(font);
}
It's not like a tracking script is going to try to iterate over every single existing font out in the wild for finger printing purposes. Doing so would be too easy to detect and block at the browser level. In the meanwhile, a script can get the list of fonts directly.