Like you said they could enumerate the people connecting from a certain city and correlate it with known vendor shipping locations. Additionally they could try to get a vendor to write a message to them (or just view a post from a vendor), that would get them the timestamp of when the vendor was online which would allow them to match it up against known connections through their entry guard. Not to mention they would also be able to match the amount of data sent through their guard and compare it to the size of the message they saw from the vendor etc (timing attack + fingerprinting attack).