It is 100% correct, jQuery is mandatory but it doesn’t have to use a CDN[…]
The correctness was about your phrasing, it sounded like the default jQuery setting was local-only, and the admin needs to explicitly change the setting to use the CDN. (And yes, it is of course mandatory, I was just pre-coffee rambling...

)
The PP should not by default include things that are not enabled by default. […] Hint: other forum platforms that have had GDPR features for more than a year don’t try to solve this - at the end of the day, you are the site owner, you are responsible for it being correctly listed, not the software, and if the software has defaults there is a fair bet someone will be on the wrong side of it for assuming it is magically correct when it is not.
I disagree, I think it should include all those third parties, and maybe prefix each one with something like "If this site is configured to use the Gravatar option, your personal data (including IP address, email address, …) will be processed by them, blah blah blergh…".
Otherwise, as a site owner, you would have to test all user-configurable options to see if any of them have an effect on any specific forum page, resulting in traffic to additional third-party sites.
Being on the other "wrong side", that is, including a "this external site
might be processing your data under
these circumstances"-prefixed reference to a site that isn't
actually used, shouldn't be a problem.
And good luck to you to write the translated version of the privacy policy that patches all the bits together.
I don't understand. I'm asking for one static policy that includes all of this. Not multiple versions, and not code-including sections based on features used.