As with free website construction, someone has to pay for the bill.
There were 8 trackers found on that weebly website:
-www.google.com
-fonts.gstatic.com
-www.gstatic.com
-geolocation.onetrust.com
-privacyportal.onetrust.com
-p.typekit.net
-use.typekit.net (as Privacy Badger informs).
The website was not malicious, so an av-vendor would not flag these.
One could improve security like with:
Security Headers
Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'.
Missing security header to prevent Content Type sniffing.
Missing Strict-Transport-Security security header.
Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src
polonus