Links on the page are the same as before signed, so the only actual problem with them is not being able to change/delete the documents hosted elsewhere immediately.
Yea, but the web server delivering them is now google. Google now gets the access logs and using the persistent tls socket can follow the users activity. Sure the content is signed, but the delivery is no longer private.
It doesn't seem like this would materially change the information Google receives. The status quo is that Google knows (via redirect links) what search results I click and when. It doesn't technically know what data the website will send me, but normally it's the same as Google's cached copy. It doesn't know what resources my browser will block, but in a bundle scenario, my browser is free to ignore resources even if they must be transmitted as part of a bundle.
> using the persistent tls socket can follow the users activity
Even if this caused browsers to keep idle sockets to Google alive more often, what information is there to be gained from an idle socket?
CDNs are a known commodity with business relationships. You can’t have an unknown CDN in the mix. They are an extension of your infrastructure and you can control if they are or aren’t in the path of control. They key here is that there is also a legal and business relationship.