PayNyms are useful even without whirlpool, as I can post a static QR code and receive payments without everyone in the world knowing how much I have received (unlike posting a static bitcoin address).
Discussion
Assume you're a stack duo user. You want to pay a paynym. You send the notification transaction to the paynym. You then use the change UTXO from the notification transaction to make the payment to the paynym. A presumably common flow if you intend to pay a paynym. The world sees the notification transaction and then sees the change UTXO spent in a subsequent tx.
Assume 2 other people do this same thing.
Now assume the recipient is another stack duo user who has posted their paynym somewhere. The recipient then consolidates those 3 payments in a subsequent tx.
This is strong evidence that anyone can use to form a lower bound on the amount the paynym received. Without a strong holistic privacy toolkit, leakages like this are bound to happen.
Change from a paynym notif tx is frozen by default btw. So the user will not be able spend that output unless they unfreeze it.