Don't load third-party scripts
Just don't do it. It's not worth it. We're seeing reports now nearly every day that third-party scripts, usually ad platforms, get hijacked and that high-profile websites start dropping malware or running coin miners.
Besides, I question the practice of government websites connecting to third-party domains. If you're running a gov site, security is a top-tier priority. This time we had a script being hijacked for coin miners, but what if it got hijacked by credentials-stealing code? Gov sites deal with highly sensitive information, and as such shouldn't run any code that its maintainers aren't 100% what it does. Concretely, what this means, is that they should host their own instance of the service and serve the scripts from their own domain. That this isn't already established policy amounts to sheer lunacy.