The 1st hop only sees your connecting IP, but can’t decrypt your traffic. It forwards the still-encrypted traffic to the 2nd hop, effectively NAT-ing your connection and masking your IP address from the 2nd hop.

The 2nd (exit) hop connects you to the internet, but never sees your personal info or IP address since it only knows that the connection is coming from the 1st hop.

This splits “who you are” from “what you do”, meaning neither party can tie your identity to your browsing.