A very brief comment here after looking at #399 -- it seems like there's less additional fingerprinting surface here -- but it's not zero, and worth mentioning. In particular, it seems like there are some changes in fonts that are not detectable on the web today, but would be detectable with raw font table access. Thus this might be providing the additional fingerprinting entropy to distinguish a user with version 1.0.4 of a font from one with version 1.0.5 of the same font in cases where that wasn't detectable today.
This seems worth at least briefly mentioning in the section on fingerprinting.
From https://github.com/w3ctag/design-reviews/issues/400#issuecomment-530682291 :
This seems worth at least briefly mentioning in the section on fingerprinting.