Everything is open and transparent, so a "leak" is absolutely guaranteed. It appears the plan is to merely make some sort of change every 6 months such that an ASIC manufacturer hardly has time to develop a change, tape out, and actually mine for longer than a month or two. This should make it prohibitively expensive.
There are no "insiders" with Monero. Just like many FOSS projects, everything is developed in the open and entirely transparently. The first time anyone has visibility on PoW changes is when someone comes up with specifics and opens a PR, and as can be seen on the current PR there's little chance that the first pass is the one that will go in.
That's an unfair statement. The Monero Research Lab has several full-time PhD'd cryptographers who are paid for by crowdfunding from the community, just none who are specialised enough that they can comfortably sign off on the change. I think it's a good thing that those researchers don't overextend and act like they are all-knowledgeable.
But they DO need privacy, they're more at risk of targeted theft than regular users. ZCash fails at this by making it impossibly hard for an exchange to allow z-address withdrawals, and impossibly hard for a mobile app / hardware wallet to support them, which means large holders withdrawing from an exchange are painting a target on their back.
You couldn't buy drugs with Monero until the end of 2016 when, coincidentally, RingCT was hard-forked in and this paper's entire basis for existence disappeared.
Also two of the Monero Research Lab papers both identify and quantify the problem, and then suggest solutions to it. At no point do the papers dismiss them as theoretical: https://pbs.twimg.com/media/C9nIqDmUQAAqP-R.jpg:large
MRL-0001 is nearly 7000 words, the entirety of which is devoted to showing how dangerous mixin-0 transactions are (ie. the bulk of this 'empirical analysis' paper). MRL-0004 similarly consists of nearly 7000 words, although this time they don't only have an entire section devoted to "traceability with zero mix-in spending", but they cover knock-on effects of banning them ("change and dust force zero mix spending"). They then identify further issues including "temporal associations", "association by use of outputs within a transaction", and "combinatorial attacks to reveal outputs".
The MRL-0004 paper provides a roadmap to defeating some of these by forcing a minimum ring size, but notes that a perfect output selection strategy could not (at the time as now) be determined. They note that "although we have identified this security issue, we are not making formal recommendations yet until we have further data to inform our choices".
Subsequent to that the Monero developers switched to a triangular distribution for selection, and then more recently they added a %-of-outputs-must-be-recent scheme (I can't recall what %). This, combined with the advent of RingCT, has defeated the claims of the research paper. There is no double-think about older transactions, because nobody could use them for anything of note, and it was during a time when 'fluffyass' kept telling people not use buy Monero (which I believe he continues to do).
