Above is a screenshot from my computer. I run Debian. It shows a plug-in or Extension (I’m never sure of the difference) for my Browser, Firefox, called uMatrix. This can block various scripts, domains and entities from the websites you browse. Here, the 1st-party ie. the main website is being fetched from localhost ie. my own computer where Hugo is running a server accessible on my own (local) machine. This 1st-party website isn’t sending out additional calls (requests) all over the place as many 1st-party websites do (try installing this extension and glancing at it as you browse to your usual newspaper or magazine of choice!), but it is making calls to one of the handful of known bad actors on the internet in the shape of Google, which is essentially one of the handful of firms that funds and directs the development of everything that happens on the internet or with internet culture. (A handful of Examples: Creative Commons, Firefox, the Go programming language that Hugo runs on.)
Why Hugo (or many of its themes) use Google fonts is because this gives a lot of configurability without increasing demands upon the server which is hosting the main static site. Your browser fetches the font files from Google and displays them according to the HTML (the text that will be displayed, some of the formatting of that text, and the links to the images that will be displayed) and the CSS (the additional styles and formatting, including the instructions to use the fonts downloaded from Google) that is downloaded directly from your server. What the user ought to be aware of, however, is that every call to Google, Amazon AWS, Facebook, and all such firms, can be logged and analysed, permitting you and your browsing habits to be monitored, with everything that can mean not only (nor even primarily) for your personal experience not only on the internet, but for society as a whole as these companies further their power, knowledge and reach way beyond that of any empires of the past.
A note here. If a website has a Facebook like button, Facebook is tracking you by using it (the like button is delivered by their servers) whether or not you have a Facebook profile.
I would like to limit all such tracking on this site but this takes time and resources (not to mention money if I choose to use different fonts which I buy for the purpose). Meanwhile, you can run a decent plug-in to restrict it and this site ought to continue to run unhindered. I encourage you to do this.
You may also follow the site through rss, though I don’t know enough about how that works in terms of pings to Google.
Some years back now - it was just pre-Covid - I was talking to a friend about internet security, one of the areas in which he works, and he told me that the languages used to describe one of the two types of font, are Turing complete. For the average user, this is mindblowing, being countless layers of abstraction distant from the mental maps they may reliably use to make decisions about the world, and quite possibly many “above” the last they can meaningfully understand. It basically means that the computer languages that describe the curves of fonts you may use on your system, including those that are downloaded by scripts that have been downloaded by your browser, are sufficiently sophisticated to themselves pose a threat to the integrity of your machine.