This resembles the "monolith" vs "micro-services" discussion. If you spread the packages over thousands of domains, hosts, providers, reliability will be horrible. And it's uncontrollable. In theory, RubyGems could run code analyzers on all uploads to detected malware. Good look if you just haven an index of repositories/packages hosted elsewhere.

Step 2: store a copy of the library in your repo.

Sounds nut? We used to do this with .dlls in sourcesafe and was fine. boring.