i'd also add that even VPNs can be a problem on linux on wifi with a malicious device on the same LAN via a recently discovered exploit that amusingly doesn't work on android VPNs, there is a workaround, i forget what it's called just now, but the wireguard people have published a mitigation you can set up involving linux kernel namespaces (this is why it doesn't work on android, android extensively uses namespaces)

also i'd further add that the relays only can *surmise* your NPUB based on the frequency of your queries for it, especially requests for your profile and follow list, but with auth they know for sure at that IP lives that NSEC

anonymity on nostr requires the use of a VPN, but i think that even as lightweight as a VPS with wireguard like i use still deflects any cheap attacks on my location because it will say "romania" and ALL of my traffic (on my phone as well) goes through it

and my VPS provider doesn't KYC me so even if they go there and subpoena all they then get is my IP address here, which is in yet another jurisdiction and i could easily make it even harder by chaining two of these together, for example one to kazakhstan and then one to romania, good luck with that 

 cost me USD$35 for a whole year btw, up to 9tb traffic per month, and better than a dedicated WG vpn service because the IP is not associated with VPN services (i still get some sites pissing on me because they see a VPS IP address owned by a VPS provider but they don't know whether the origin is there or elsewhere)