and why would a bank site hotlink to an asset owned by someone else?

All the security concerns I've seen for this seem quite contrived to me. And I say that as someone who assiduously avoids google products*

(*alas, except at work, because I can't really choose that)

I think this is the perfect storm.

1) Privacy-conscious browsers are trying to get exposure, so they are stretching an extremely narrow privacy risk into something extreme.

2) (I also believe) media companies are worried this will rob them of ad exposures, so they are incentivized to cover this as something scary.

3) The "bad guy" is Google. This means the amplitude of the story is immediately 10X larger.