You can argue that libraries hosted on cdnjs cannot be tampered with and are pretty safe to use, but generally it's a security concern if you leave the door open, especially if developers have the ability exclude domains or URLs.
As for the difficulty of updating and maintaining your extension you will need a build script as part of your release/development process. Pulling a library from the internet can be as simple as:
but in some cases you may need to pull from git, npm and do some manual adjustments if needed.
In the end if you have all of your minified code clearly separated and stated as third-party code, and there is a build script that you could provide if needed to reproduce that build then this may also speed up the review process, I guess. I know there is no such practice as of now on the CSW but maybe in future there will be.
As for the package size concern that is true, although the maximum allowed extension size should be pretty large, can't remember the exact number, but you can check it out on the official documentation web site. For example, I had to bundle MathJax with one of my extensions, which is a pretty large JavaScript library, it's around 50MB in total, so I spent some time looking around on how to trim it a little bit, it went down to 1.6MB which after archiving it as .zip package is even less. However, as it turned out I trimmed it way too much and some users reported that some of the MathJax plugins are not loading because those plugins were available on cdnjs before, but now are missing from my extension package. So it can be an issue in some cases.