Yeah and you might as well leave javascript enabled as well because it isn't like the police ever used javascript based exploits to deliver attack code to people viewing hidden services, for the entire life of Tor! well, other than the first time they did it. If you want your address sitting in plaintext on a server that can be compromised, that is your own risk to take. You want to be low hanging fruit go ahead it makes it better for everyone else because the police will target you first and if enough people are insecure like you they wont try to do more sophisticated attacks because the return on investment will be small. Just like they didn't try to pwn people using Linux or bother to use a zero day to bust the people going to freedom hosting. But at the end of the day you are taking a major risk that you don't need to take. And it is totally possible that some day that risk is going to end up with your address and what you have ordered logged in a police database. I am more happy that they just have uncrackable ciphertext, but go ahead let them get your address and orders as soon as they seize the server or penetrate it remotely.