My ads blocker just blocked an unknown google tag manager request initiated from my vendor's chunk.
Is it a common practice to have tracking in dependencies, and what kind of data it is possible to extract from my website using google tag manager?
Should I even bother?
Having some sort of tracking in libraries isn't common practice but it isn't unheard of. I've seen it less after GDPR and similar laws where introduced however. But that kind of tracking is usually very specific, maybe some usage stats are sent towards an endpoint or maybe Google Analytics is embedded or something.
Google Tag Manager on the other hand can be used to inject almost anything into your site. They could inject a crypto miner, they could take all information from the current (possibly logged in) page and send it it to wherever, they could take actions on behalf of the user, redirect users to another page etc. Basically this is a backdoor into your site that might look harmless now but might do something completely different tomorrow so I really wouldn't trust it.