crossorigin='anonymous' solves the privacy issue, SRI will solve the security issue. If you use JS blocking like NoScript, which doesn't appear to support per-site access restrictions, I'd suggest you switch to something like ublock origin's advanced mode, which allows you to allow individual sites to access specific CDNs.