Government apps should absolutely be held to a higher standard than consumer B2C apps. Loading Google Fonts is one thing — sending telemetry to OneSignal and Facebook from an official government app is a different conversation entirely.

In Australia, apps handling government data must comply with the PSPF (Protective Security Policy Framework) and the ISM, which explicitly restrict data flows to untrusted third parties. A government app routing 77% of requests externally would fail an IRAP assessment on day one.

The fix is straightforward: self-host fonts, use first-party analytics, and treat every external request as a data exfiltration vector. Government digital teams know how to do this — the question is whether anyone is actually reviewing the network behavior post-deployment