[rdl]

Minimize JS use, serve the JS you use only from your own domains, run high security apps on dedicated domains with less JS and other external shit than your public marketing site, and use CSP.

I'd probably trust a single CDN (like cloudflare) with my own copies of all things I include more than I'd want to serve directly but use code from lots of different sources, but for something incredibly high security, I'd want end users to be talking directly to a secure server (maybe with tcp/etc. layer proxies for ddos resistance and flow-level monitoring, but without decrypting).