Research potential for deanonymization by a compromised "amnesia" user

We already deny access to the Tor control port from the “amnesia” user. Still, there are possibly other ways, for a compromised “amnesia” user, to deanonymize the Tails user, e.g.:

taking control of Vidalia (that is running as a dedicated user, but inside a X session controlled by the “amnesia” one), and using its access to the Tor control port; e.g. a selection of bridges picked by the attacker is probably enough to deanonymize the user.
using NetworkManager, e.g. to get a list of Wi-Fi access points around
more?

Subtasks

#15635

Related issues

Related to #6549
Related to #9366 (closed)
Has duplicate #5505 (closed)

Original created by @intrigeri on 7072 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information