There is a protection for this, now I have had a wee while to think about it (nice investigating @neo), the routing layer will know when delivering to a bootstrap/relay node. It can tell this from the address of the client which contains (NodeAddress, Client_public_key) so the node that is connected to the relay node will know it is delivering to the last hop. In seeing this then the routing node can encrypt the whole message to the client, this essentially means the relay node (bootstrap node) cannot tell what the client is receiving and the relay is then protected.
This is pretty easy to achieve and we can give this more thought. The reason not to end to end encrypt the whole message is to allow caching. So this is for ImmutableData only, all the other data types are encrypted end to end anyway, making this attack not possible there.