Browsers make many arbitrary requests to servers you didn't specify to fetch page resources. I like to block that with uBlock origin. Clients *should* put the user in control with white lists and/or blacklists. Practically though, the attack surface from websockets and nostr events is incredibly smaller than that of a web page so I don't think that is an important feature at this point, even for paranoid tor users.

Beyond that, if you don't fetch bob's events from where he publishes them, what else can be done in the case that you want to follow Bob?