About the Referer header, from what I read the header is not sent only
if "an unsecured HTTP request is used and the referring page was
received with a secure protocol (HTTPS)" [1]  That should be rare since
the search engines now redirect to HTTPS right away and people would be
entering their search terms in a form submitted over HTTPS.

A spot check of a few browsers shows the Refer header in use for these
at least when using HTTPS:

        Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101
        Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
        Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML,
                like Gecko) QupZilla/1.8.9 Safari/538.1
        Mozilla/5.0 (X11; CrOS x86_64 9765.85.0) AppleWebKit/537.36
                (KHTML, like Gecko) Chrome/61.0.3163.123 Safari/537.36
        AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75
        Lynx/2.8.9dev.11 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/3.5.6

The Referrer Policy is in the draft stage [2] and might or might not
affect source web sites in the future, but if it does it looks like it
is a very long way from becoming widely deployed, years if ever.  So it
is unlikely to be a factor in Q1 2018 or Q2 2018

[2] https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin

 The referrer policy is already in use at Google, which is why we don't see users' search queries in referer field in our request logs; just that they came from Google.

- Mikhail