And no. NIP-42 was not enabled by default & only supported for personal use due to the reasons that you've provide above.

And again, NIP-42 requires domain name validation. So #bostr could not use NIP-42 for public usage.

I am rather questioning the privacy at multiplextr than in #bostr as it tell to coracle that the event was sent from "that" relays, and then coracle sign the AUTH for "that" relays also.

Yes, multiplextr absolutely has the privacy problem you're describing. The advantage it has is it allows clients to implement routing.

How to keep this proxy relay address private? Does anybody can connect to this proxy relay silently if they know the address ?

In config.js, You put your public key in `authorized_keys` array. After restart, bostr will only allow users in `authorized_keys` to use the bouncer. However, You need to ensure that NIP-42 is supported in your client. Otherwise the bouncer will not doing anything for you during authentication. Additionally, You could enable internal NIP-42 for NIP-42 relays for your own use by inserting public & private key in `private_keys`.