It's a well known fact (in the privacy-aware community, at least), that a factor quite used for tracking is the list of installed fonts, which browsers seem to expose, and trackers exploit this.
There's lots of questions and answers as to how to avoid this (spoof list of installed fonts, etc), but I'm wondering: why do browsers need to expose installed fonts? What uses cases does it satisfy in the first place?
Browsers don't directly make a listing of the installed fonts available. Instead they provide information about the size a specific object like a textbox has. Since the same text rendered with different fonts causes slightly different object sizes this can be used to infer which font was used to render a specific text and thus check if a specific font was used to render the text (and is thus installed on the system) or not.
For more information see Font Fingerprinting at browserleaks.com or the paper Fingerprinting web users through font metrics.
For ultra-precise screen layouts like games, a developer often needs to know the size something renders at. While a dev can instruct the browser to draw at say, 10px, OS font size settings, zoom, font variations, and more can affect the actual rendered height. By reading back the output size, small font size adjustments can be made until it's "just right". This mechanism is for all boxes on the page, not just fonts, but boxes typically "stretch" to fill the text contents, and uniting the two can reveal if rendering in a certain font leaves the box with different dimensions than before the new font was applied.
The textbook example is re-sizing an iframe to fit an error message page on another co-operative domain.
It's probably safe to start blocking fonts now because custom fonts can be delivered via the web with the page itself, rather than rely on the OS's built-ins. Those can be discovered as well, but since the page brought them, there's no value to discovery. Note that discovered is the right word; there's no way to iterate any font lists, native or web-based, so guess-and-check is the only way.
