I understand that web fonts are distributed in one of two ways:
They are hosted by the type foundry, who can, to a degree, enforce license restrictions (e.g., hit rate, referral host, etc.)
You just get the .woff/.woff2 file and host it yourself.
In either case, what stops anyone from downloading the font file and using it themselves? I’m not advocating this, but surely font piracy must be rife; especially if you use something like GitHub Pages, where you can simply checkout the repository, fonts and all.