The ballotid and userid is encrypted using the voters' private key. Only the voter can view the ballot and prove the ballot belongs to their user account. There are heuristic searches that may need to be defended against with additional anonymizing of data.

I spell it out in the white paper. TLDR; The userid and ballotid are only known to the voter. They're decoupled when the data is at rest. There's no way anyone can know which voter submitted which ballot.