"And this is why I have blocked all fonts for the last fifteen years."
This is something that should be available directly into browsers, because it's a clear attack vector.
Only approved sites should be able to use custom fonts - untrusted ones should have any custom font replaced with the standard serif/sans serif/monospace one.
Then there's the issue of documents with embedded fonts. Again, these should be flagged, and there should be an option to open them with the font(s) replaced.