You are right about this actually. I shouldn't assume that vendors are using proper security. I can say that they are all using Tor though, and that they are not inherently exposing their addresses. Of course they are almost all getting product from someone else. I wonder if the average SR customer exposes their address/activity/nym to more people than the average SR vendor. That is another assumption that needs further analysis (yes, customers inherently give their addresses to get product, but vendors are also inherently giving their information to someone that they get product from, unless they are the chemist/grower). In a discretely measured deal, the customer leaks their address and the vendor does not, however the continuous product flow cycle consists of several discrete deals and all the way to the top this address leaking property is true. What really needs to be considered is how many nodes an address leaks to. However if we look at the network overlay of SR transactions, and not the wider distribution network(s), it will be easier to get a large number of customer addresses than to get a large number of vendor addresses (since most vendors are not ordering what they sell off of SR but are getting it from private distribution networks). One thing that immediately becomes obvious is that vendors should not be placing orders on SR using the same names that they vend with, or else they will lose this advantage. But really it might not be proper to look at things in such an SR centric way. On the other hand, private distribution networks are more resistant to massive LE infiltrations. If a vendor is buying bulk on screened private forums, it is probably less likely that they are as potentially exposed to LE as compared to someone buying bulk on a public forum. Also, even with human intelligence ignored, vendors and customers both are much weaker to traffic analysis attacks than I would like. HUMINT is certainly a huge weakspot, especially for customers on non-screened public distribution channels, but SIGINT and FININT are perhaps not significantly protected from for vendors and customers too.