What can happen?
There are two main problems with external resources:
1. The resource could change
The owner of the external domain can change the content of the resource whenever they want, affecting the site the resource is included on. The resource does not need to be changed by the resource owner, the same problem would occur if they were hacked.
2. Shared resource, shared vulnerabilities
This also means that if an attacker were to target a specific site, they could search for vulnerabilities in all the included resources that someone else has already found.
This issue is of course not limited to external resources, but resources that have been downloaded and then self-hosted as well.
There are ways to minimise the danger of the resource changing. Read more about this: https://blog.detectify.com/2016/10/27/cdns-minimize-damages-if-the-cdn-is-hacked/
However, doing so also prevents auto-updates that change the resource, which increases the risk of the scenario described under point two. When a vulnerability is discovered in a public resource it is often automatically updated, but that does not work if the resource is not allowed to change. This is therefore a question of what you believe to be the greater risk; existing vulnerabilities that cannot be patched or the external provider turning malicious or getting hacked. Because the answer to this question greatly depends on the situation, there is no universal solution that is optimal for everyone.