The link to the github repo is located in the code you paste on your own website, so you already host that part yourself. The only thing someone could change if the account is hacked is the contents of the image.
If gh-card.dev ever changes, you might find javascript being injected via the SVG instead of it just being an image. That's what the GP is alluding to, and recommending you host the gh-card code yourself rather than using their hosted instance.
It’s turtles all the way down. The point here is that people don’t consider third-party content inclusion to be more of a risk than “completely harmless”, which is generally false: the risk may or may not be slight, but it’s never non-zero.
And to follow up specifically to the npm modules, if you're self hosted, you can (but probably wont) audit the contents of what's been deployed when you deploy. You can then also keep that snapshot frozen in time, so you wont necessarily be impacted by any changes to those modules in future.
If you're using the hosted version, you have no idea whether or not the modules are being updated, which versions are in use, etc.
Having control of your environment gives you the opportunity to be more (or even less) secure. It's important to fully understand the risk / potential harm that outsourcing that responsibility to random persons can have.