I never appreciated how broad this issue actually was. When I mentioned the “referer” stuff, I meant “the whole block of info that the browser sends along with the referer itself”, which also includes User-Agent. Sorry for the shameless abuse of terminology.
The only thing I’m certain of at this point is that I now feel less secure than when I submitted the question in the first place. I guess that happens often on this forum.
If would be real nice if PureOS and/or Cubes just had a cookie cutter solution which preempted most of these concerns. But probably no one from either group is reading this thread, or cares.
Thanks for all the info above. I’m really pleased to see all the dirty laundry being aired out in public. But for now, I have to admit that I’m sort of stumped as to what (not) to do about all of it without creating more rabbit holes. (I mean, not the literal question of which hostname to use, but the implicit followon question of how best to manage its downstream transmission.)