It's not arbitrary code execution, just a toy observation about the specification. Additionally, 1) as noted, none of the font rendering libraries used were capable of recursion without the author's modifications, 2) in a web context, Javascript is unable to access information about actual glyphs rendered or other "font-internal" calculations.
If anything, exposing glyph data to the web API would be a bigger problem for fingerprinting, and probably expose some sort of user browsing history snooping flaw...
> Javascript is unable to access information about actual glyphs rendered or other "font-internal" calculations.
Just render the text to a canvas and read out the pixel data to see the glyphs, a.k.a. canvas fingerprinting. I'm not sure whether getting clever with the font would reveal any information you can't get more easily, though.
If anything, exposing glyph data to the web API would be a bigger problem for fingerprinting, and probably expose some sort of user browsing history snooping flaw...