If i understood correctly, the user can still use everything tor-only, only the community relay or blossom server needs to check whether the user pubkey matches the whitelist and doesn't involve any interaction on the user's part other than sending an auth which is independent of the way you connect to the relay
Discussion
NIP-05 definitely relies on DNS, it doesn't allow onion services
Nobody interested in decentralization is using it. For example, people who only use tor-compatible nostr implementations aren't using it because DNS isn't tor
I like the idea of NIP-05 resolving handshake.org domains because then you don't have to change anything about the UX or the flow, clients when noticing a handshake domain just have to add the "hns.to" before the URL and they'll find the json, so for example me.nostr/.well-known/nostr.json just make it hns.to.me.nostr/.well-known/nostr.json and done.
This is idea usually loudly booed because another chain. But it's a pretty frictionless update.
Sounds pretty frictionless but in the long run the best solution I see is a DNS alternative built on doggie coin. Wrote about idea in this article nostr:naddr1qqrxuethg389xq3qwamvxt2tr50ghu4fdw47ksadnt0p277nv0vfhplmv0n0z3243zyqxpqqqp65w7fdn8s