the misunderstanding they have is that you can be 100% certain which npub is requesting for events by the filters preponderance of one specific npub in it

this would be the same npub that would appear in an auth event

so it's very unlikely a malicious relay can't figure out which npub is behind a connection, or in other words, if you actually are concerned about not revealing which npub you are using you should strictly use tor so there is no IP/npub correlation being built up, as this locates a person to whatever IP address they appear to be connecting from

auth, or no auth, it makes no effective difference, the protocol requires you to identify yourself, one way or another, if you want to see events where people have tagged you or replied to you