it would be preferable if technical documentation including on security issues, can be viewed without running JS from everywhere. Some form of graceful degradation would make it easier for users of security extensions to avoid having to decide to trust googleapis.com, or indeed enable javascript at all.

I tried reading https://docs.fedoraproject.org/f28/release-notes/

To read anything other than "Book information" or "Revision History", I need to click in the TOC to one of sections, which expands and allows me to read a specific page.

The expander requires permission to run JS from ajax.googleapis.com. I suppose this might be desired to attempt cache sharing on mobile phones and other resource-limited cases.

Based on https://stackoverflow.com/questions/32889197/a-fallback-for-bootstraps-collapse-behaviour-when-js-disabled ... there is not actually a good way to do this with Bootstrap. It's a defect in this Bootstrap feature, so that's where it really wants to be fixed.

(Using a noscript tag obviously doesn't support the letter of my request. A noscript tag will not take effect even if the network failed all .js files. That's one of the key points in the modern argument for "progressive enhancement". I.e. the plain HTML should continue to just work. Even if your network connection is horrible and you have a 50% chance of loading any given resource correctly or whatever.

I'm aware that a compromise of the third party in question practically signals game-over anyway. I don't resent that. I'd just prefer that reasoning and learning that fact was not a pre-requisite to read system docs, if I'm protecting against whatever the next rowhammer / spectre etc is).