And no. NIP-42 was not enabled by default & only supported for personal use due to the reasons that you've provide above.
Discussion
And again, NIP-42 requires domain name validation. So #bostr could not use NIP-42 for public usage.
I am rather questioning the privacy at multiplextr than in #bostr as it tell to coracle that the event was sent from "that" relays, and then coracle sign the AUTH for "that" relays also.
Yes, multiplextr absolutely has the privacy problem you're describing. The advantage it has is it allows clients to implement routing.