If a relay requires auth, then yes — it could sniff some information. As for the other points: – The welcome event is wrapped in a NIP-17 DM, so it’s not linked to the MLS group. – Group IDs can be rotated, even per message. – IPs can be hidden by using the Tor network. Also, some information can be obtained from the req, but auth is required to identify the sender.