I am not talking about “somehow finding IP adresses in Safenet”. I am talking about large scale “Packet Sniffing” in the IP layer.
Some tree-letter agency starts lots of normal Safenet vaults on a server that does nothing else.
Packet Sniffing all traffic on this server makes it easy to discover a lot of IP Adresses of other Vaults.
Proportional to (average number of groups one vault is in) * (average number vaults in a group) * (number of monitored vaults), corrected for overlap.
These IP adresses are used to create a Real-time overview of all traffic between their own citizens and the Safenetwork.
It is unimportant which vaults where contacted, it is sufficient to register a record (IP Adress, Date, Minute, Total Packet size for that minute). That can easily be supplemented with rekords which IP was in use at what physical address at what time.
Somewhere else they organize a building full of Safenet Clients and obedient little burocrats who do nothing but browsing Safenet looking for subversive content. Each time something new and dangerous is found, the burocrats activate their personal packet sniffers and check the total package size needed to retrieve this file/these files.
Once they know how much the total size is, it is used to find all IP adresses in the Traffic Overview that have communicated approximately that much data over SafeNet in one continuous action shortly before this danger was recognized.
Of course each time they will find much more innocents as true subversives, but that is not a problem.
Lather, rinse, repeat: the true subversives will be repeat offenders and sooner or later they will be recognized.