how? every request has your pubkey in it too, not hard to narrow it down after a few messages, with a set intersection operation
the real privacy violation is in the IP address because that potentially gives your physical location, and then you prove you have the key apparently at that location by authing
so yes, you want to not auth to free/untrusted relays, but they still know your pubkey and can be pretty confident that at that location lives the nsec
so, if you care about location, you use a VPN or Tor
if you care about not giving away your identity, you uninstall the client and stop using it, you are going to identify yourself auth or not, this is an authenticated protocol
if you pay for the relay, and they are selling log data to third parties, you stop paying them and you stop using them altogether
if you pay a relay they have a much greater incentive to not betray your data to third parties and if they do, then they deserve to be blacklisted by everyone in the community for this
you can also run your own relays, because the protocol allows this kind of distributed access, and nip-65 facilitates this messaging pattern