[martin_a]

> According to G Fonts privacy policy, they don't store any PII.

Do they log IP addresses? That would be enough as those count as PII. Maybe bunny.net has logs disabled and that's what makes them stand out.

But especially with fonts it's just so easy to self-host them that it's kind of a no-brainer.

> almost any 3rd party requests for assets should be blocked

That could be a very good practice/state of mind for developing privacy-respecting websites/apps and will save you from stress, before it can happen.

As you have no more advantages due to separated caches from using CDNs for scripts etc., you can self-host those, too. Saves on DNS lookups and you have control over the caching-times, too.

I'd try to run as much as possible from the same domain.

[Nextgrid]

The GDPR also has the concept of data minimization, which I believe would apply in the case where you're unnecessarily sharing IP addresses with a third-party (regardless of whether they ultimately log them) for something that can trivially be done in-house.

There's zero benefit to using a CDN for fonts - browsers have long ago started partitioning caches per origin anyway, so you don't even get a performance benefit. Just put the fonts where you put the rest of your static files and you're good to go.