A compromised watch only wallet, or a watch only wallet being hosted by a third party that leaks. If you're connected to someone else's node I guess they could try to keep track of your IPinfo and log the addrsses you're pulling information on, but this is beyond the scope of my knowledge at this point.