"The wallet pings an onion URL to check for a new version"
So let me tell you how this can all go wrong.
From clearnet to Tor username resuse, to social engineering attacks (and lastly actual exploits" there are a lot of ways to reveal the identity of the developers and get into the server that hosts the updated program.
If a whole userbase that doesn't want their ID tied to their Bitcoin transactions is using this software for that purpose, and among that userbase is a criminal of any sort, then a malicious update to deanonymize the entire userbase is a real and persistent threat.