For less popular sites, the user can add it manually, or the site operator notices their site is broken for increasingly many users and stops linking scripts from other domains.
> And, for fun, on the other side I believe a few years ago google's in house public hosting of jQuery received a bad push and was serving a tainted package for a while... even the good actors can mess this up.
That's an independent problem. You could have the same thing happen for actual first party scripts.
And in this context if they're really good actors then they fix it as soon as it's discovered, and if they're not then you take them off the approved list.