It's quite simple - it loads a script from the
domain into your document. What the script does from there is entirely under the control of that external site.
Since the script doesn't include any subresource integrity
] attributes, they can change the script at any time, and your site will still load and execute it. If their domain gets hacked, you could be executing malicious script from their site in your own page without knowing it.