Seems like all it would take to solve this dilemma is
an encrypted proxy
that delivers the decryption code(s) to the WMF developers. So the editor
gets privacy from User:JoeSchmoe but Wikipedians with a certain level of
permissions could determine the point of origin.
Logging in does exactly that. It hides your IP address from anyone
without the checkuser bit.
Something like that would come in very handy for the
editors from mainland
China, and a couple of smaller countries that firewall access.
That's not a matter of hiding your identity, it's a matter of hiding
the identity of the site you are viewing. Anonymous proxies/TOR do
both, but they are different things.