With the second party (Gitlab in this case) I have a contact, give them money regularly, and have other such leverage in case they screw up. Third parties generally could not case less what damage they may cause.

But what's the difference? You PAY gitlab in both instances and your leverage is the same. Do you want to be involved in reviewing their motherboards for spyware chips as well?

If you are self-hosting the product, you can control changes to the environment. If you are pulling in third-party scripts on the fly, then that control is gone.

Ah I guess the real problem is 'on the fly'.

The problem is that the resource the URL points to resides on a system that's neither under your control, not under counterparty's.