Relays can handle the outbox stuff. No actual need to have the clients do it. Relays can just talk to relays.
Discussion
not if the outbox requires the user's auth for the event (eg DMs)
DMs are a special case. Should probably be P2P, to be honest.
And for the rest of the sensitive stuff, that's what the personal relay is for. That's a grand total of 2 relays, max, and one of them is already predetermined. Throw in a localhost relay, for the lulz. Costs practically nothing.
yeah, DMs are the case that makes having a rendezvous relay proxying function make sense. at most the relay only sees traffic volumes and who connects to who, the content is encrypted. without much more elaborate than that you could use tor to set up accounts on several intermediary relays and voila, you don't even need tor to isolate who's talking to who, just two intermediaries and basta.
Also, there's no rule saying that an AUTH relay can't aggregate from other relays. It can just go find stuff, from the subscribers, and pull it.