That's correct. However, there are two theoretical attacks. 1) Once they have identified you as a person transferring coins to SR, they could blacklist your address and watch for packages coming to it. Of course, this assumes you used an address linked to your identity. Some people are too smart/cautious to do that, but tons of SR buyers use their home addresses, so it makes the attack worthwhile as a cheap fishing expedition. LE is guaranteed to bust some people. 2) IF the SR server is compromised, then they already have the bitcoin info and buyer information, now they can link it directly to purchases.