I agree. But the only thing an observer can see is the relative activity level of the group. They don’t know if that activity is spread over a small number of users or a large number. These group ids can be rotated as often as the client wants as well.

Talking through it earlier, I felt like trying to do some complicate group id derivation and then publishing to multiple group ids was more security theatre rather than real security. 

Spec will be ready this week. We can hash out the details then. 🤝