Right, that's the main thing to worry about. How about this as a mitigation strategy: never close your client with circuits open to sensitive web sites. After you are done browsing sensitive web sites, do some mundane browsing for 15 minutes, then close your client. The attacker may be able to identity you, but you will be uninteresting.