It's hard to comment speculations.

But fortunately, even if what you're saying was true you're still safe! Endpoint alone can't tell much about the origin of the connection :)

This is key - Tor's purpose is to help you be anonymous. It does not give you confidentiality; for this you need additional tools (such as SSL).

Yup. Let me support that with a link: https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#Can...

If they're actually following the "correct" way to implement tor routing, wouldn't they still be unable to determine the source / destination? I suppose if they're being shady, though, they could either route only to other known nodes they control, they could still track the traffic.

The client chooses every node that is used. The client picks the three nodes, and then encrypts the traffic using each of those three nodes public keys in order. Then each node in turn peals off a layer of encryption and passes it on to the next node, which is the only node that is able to decrypt the next layer.

The Tor client is also careful about picking nodes from a wide geopolitical range to minimise the chance of collaborating nodes in the circuit. If all three nodes are in the U.S., it might be easy for the government there to track the origin. But they'll likely have a much harder time if two of the nodes are in Russia and China.

If the adversary can watch the traffic at the entry node and any one of {the exit node, the websites you're visiting, a compromised router in between}, then they can de-anonymize your traffic pretty easily using statistical techniques. (All my links on this subject are a decade old; I'm sure there's newer research.)

The Tor client tries to take this into account when choosing entry and exit nodes, but it has to consider other threats as well and there's a limit to how well it can do. Remember the adversary only has to get lucky once to discover that you are a member of the Rebel Alliance and a traitor; you have to evade them every time.

Ross Anderson calls this "programming Satan's computer". It's like you have an NFA that always chooses the worst state transition rather than the correct one.

I agree with everything you've said, but just wanted to mention "Entry Guards" as the "solution" that the Tor Project came up with for, "the adversary only has to get lucky once". The idea being that the Tor client picks only a few nodes for network entry and re-uses them. Otherwise, eventually you'd connect to all entry nodes.