OK bad examples, but any open source project you use via a package manager in your projects you have to trust and there's no contract or relationship there.
Yes but bundling packages via npm is not an issue either, it's the fact that third-party embeds transfer personal data to the third party whenever a user visits the website, that is the central issue.