edit: I just found a paper [1] which talks about this issue and a potential solution.
Monero certainly has lots of things that make me excited about it, but it seems there is a downside:
To recieve a payment, 'A' must tell the sender ('B') A's recieve address. Now, this recieve address is never encoded in the block chain, but it is known to everyone who sends 'A' coins.
If 'B' and others who know 'A's recieve address keep track of it and the coins they send, some privacy is not preserved.
Bitcoin & many other crypto curencies "solve" this to some extent by using Hierarchical Deterministic wallets ("HD wallets") were a single secret plus a deterministic "count" is used to generate multiple "accounts", each with it's own receive address.
The problem is that it isn't clear to me Monero has any HD wallet implementations, and I'm not familiar enough with monero to say whether generating lots of different accounts would even be feasible.
I'm a Monero dilettante, but my understanding is that this is not the case - your private key (or some derivative of it) is needed in order to unmask transactions on the blockchain that involve you, so others can't see what you've been up to. See below:
"When you send funds to someone’s public address, what happens is that you actually send the funds to a randomly created brand new one-time destination address. This means that the public record does not contain any mention that funds were received to the recipient’s public address.
For the same reason, the funds that you are sending were not associated with your own public address either in the public record. Therefore, when you send these funds, the public record will not show that the funds originated from your public address and will not show that the funds were sent to the recipient’s public address."
Sure, I'm not contending that the information is exposed in the blockchain, I'm saying that third parties that keep logs of their sends can collude at a later time to produce a more complete picture of the transactions sent to an individual.
Right now avoiding that in monero is difficult. Subaddresses (as linked above) solve some of that, but as there is still a linear time scan increase, I wonder how prevalent their use will be. Will people create a new address for each receive they do? Maybe, maybe not.
All I can really say is that the cryptonote protocol was probably designed to focus on privacy within the blockchain. Intrablockchain privacy. Anything out-of band was not considered within scope, maybe. I'm just speculating because who knows what the cryptonote developers were thinking. The Monero core team is working to advance what cryptonote started, and subaddresses are a step in the right direction.
