At least then the server has to deal with the security implications of talking directly to the advertiser, instead of pushing the risk wholly to the client.
In the end the script is running on client, dealing with user data, not server data. Client is still taking the risk.
On moral/legal issues, integrating script from third or first party hostname sounds like technical detail. If you select partner to run their code on your pages, you should be responsible checking user consent when applicable and taking responsibility. British Airways has been fined £20m even if that script was not on their servers.