One could use Subresource Integrity (https://hacks.mozilla.org/2015/09/subresource-integrity-in-f...) to mitigate the most obvious threats from CDNs. Granted, that does have some maintenance work, but if you're already managing dependency versions (and you really should) then it's minimal extra work.

Correct me if I'm wrong, but all the scripts the website owner hotloads have to also use subresource integrity for the scripts they are hotloading, or subresource integrity gains nothing beyond the first level of script loading?

I rarely feel that website owners out out to get me, my distrust comes from scripts that load scripts that load scripts. Lets not piss about, I know most people who have written websites that are loading jquery from a remote CDN haven't bothered to inspect it to see what it's loading. By contrast, a website that has vendored all it's script dependencies has looked at the entire dependency tree at least /once/. That shows a baseline level of competence that I'm willing to extend trust on top of.