Another approach to hide which packets are downloaded could be to run an apt mirror on a server in the local network which can download all packets in advance. Now upgrading your packets on PureOS devices will be done inside your local network and not via internet. This could also speed up the upgrade process.
Also the connection to PureOS’s repos are protected by TLS. An attacker sees that you connect to those repos and can deduce that you are using PureOS. But the attacker does not see plainly which packets are being transferred. Also it might be possible to do some clever analysis to gain more detailed information.