I2P is entirely out of the question anyway. Vendors leak their rough geolocation and I2P by default reveals the IP addresses of all users (just makes it hard to tell what the IP addresses are doing through I2P). It is not compatible with our threat model.