I can just assume most Monero users swap CEX coins for Monero or use a CEX when that option is available. The vast majority of users prefer convenience, accessibility, and usability over privacy and security, which is a problem that Monero has yet to solve. It works for what it's supposed to do, but as of right now the adoption is primarily out of necessity and not usability. While the above does not appear definitive, it is a problem worth highlighting and a problem that I consider worth solving. Sure, it's better from an anonymity standpoint to buy it with cash P2P; it's better from a privacy standpoint to never use a phone; it's better from a security standpoint to flash your BIOS with open–source firmware. The problem is not that these things are better in each of those areas in comparison to the commonly used alternatives — the problem is they fail at virtually everything else. Accessibility, usability, and user experience are virtually everything these days. If you want large scale adoption, the technology has to excel in the above three facets. If it doesn't, large scale adoption is unlikely to occur.
For example, SimpleX has arguably better privacy and security features than Telegram. However, just because a tool or technology may be superior in one or two areas, does not mean it will lead to widespread adoption — it means it will be adopted by the niche groups who prefer a tool excelling in these areas and who are willing to sacrifice other attributes in exchange. This fundamentally does not capture the broader market. The reason Telegram is so widely used by criminals is not because it has some unique security architecture, but because of its accessibility, usability, and user experience. It is:
- Easy to create an account
- Easy to use
- Easy to discover desired content and users
- Easy to integrate into workflows
- Easy to use as a UI for interfacing with bots
- Easy to promote your content
- Easy to follow users and content
SimpleX on the other hand is glitchy, resource intensive, considerably lacks discoverability features, and is at its core far less accessible and usable in comparison. A similar story can be said about XMPP. When you make a tool that excels in one area at the expense of these other areas, you my get users to adopt your tool, but you will almost exclusively cater to niche users.
This is a massive problem in the open–source world. Programmers and other technical (often autistic) people are great at solving technical problems, but terrible at human psychology and factoring in the human element. In the end the technology is intended to be used by humans, which is why the human element can not simply be dismissed. If you allow people to screw up, it's only a matter of time until they do. Murphy's law: Whatever can go wrong, will go wrong. If this happens on a larger scale, then that is a systemic problem and not a problem relating to any one individual, and if this happens with your technology, then your implementation and execution are fundamentally flawed.
To be fair, it happens a lot on the surface world too. I've experienced it far too many times at work with people just doing as they're told. They're told to build something, so they build it. They are asked a question, so they answer it. This is precisely why projects fail. Someone with their head in the game will not just build something, they will attempt to identify what problem the corresponding stakeholders are attempting to solve and why. This leads to figuring out why they chose a specific path to solve the problem. If it isn't the objectively most viable solution to solve the given problem, it either means you lack additional information that factors into their decision making process or they are unaware of the other options that you may have thought of. In that case, it is advisable to raise the issue and propose alternative solutions and elaborate on your reasoning. If someone asks a question, the important part is to not just blindly answer the question, but to identify and understand why this person is asking that specific question to begin with. Maybe they are attempting to understand something, but are asking the wrong question due to a limited understanding of the technical details. In that case, it would be wiser to focus on ensuring they have an understanding of the details and then figure out whether that is the correct question to ask. Unfortunately... finding people like this is unbelievably rare. They're practically unicorns at this point.
Going back to Monero, I view the traceability of Monero at this time a considerable problem given that it's touted as a privacy coin and the community tends to defend and promote it pretty heavily. The tracing attack as outlined above does seem less likely to provide a full picture on a small level, but if you widen the scope and increase the size of the data, you are more likely to get an accurate image. It is unclear how much processing power it would need. It could be a scenario similar to brute–forcing. Technically every password can be brute–forced, but it's the time and resources it would take that makes it viable for only certain circumstances and conditions.
Unfortunately, it's the hype that ends up with users being under the completely wrong impression, such as believing it is fully anonymous rather than based on plausible deniability. It would be phenomenal and a complete game changer if it was completely anonymous and untraceable, but it isn't, and I do wish the Monero community was more open and transparent about this fact. The same can be said about other "privacy" coins and their communities. In general I do get annoyed by how diehard these communities tend to be in shilling and defending their respective coin instead of approaching their technology with skepticism and scrutiny.
Based on my own research, it should be noted that as of right now the primary means of tracing Monero is by performing correlation attacks, behavioral and timing analysis, and deploying malware or otherwise attempting to gain access to the wallet keys. Based on past cases, the biggest danger relates to exchanging Monero for fiat currency and not buying or transacting with Monero. What is clear and should be mentioned more often is that using Monero by itself is insufficient, if plausible deniability or anonymity are a requirement. Churning should also be handled with care as it can do more damage by establishing specific patterns. Exchanging Monero coins — especially exchanging them for other privacy coins — and then exchanging them back to Monero via separate non–KYC exchanges appears to be a viable low–cost alternative by adding an additional layer of complexity.
For those saying to buy P2P and not from a CEX, there is nonetheless the problem of the 3rd party gateways. For example, you purchase 10 XMR from one vendor on Haveno. You have three different identities, each of which require the purchase of services from distinctly different vendors, but all of which use the same 3rd party payment gateway. Let's assume for each identity, you must pay three vendors 1 XMR totaling 9 XMR. While the coins may have been purchased P2P and not from a centralized exchange which analyzes transactions using blockchain analysis software, there is a heightened probability of the identities being linked as coins originate from the same source. Yes, there are the ring signatures, but if we factor in the rest of the Monero network, then those 9 transactions are far more closely related than they are related to any other transactions on the entire network making them temporally very close. Now, there is a heightened probability of linking the three identities together and tying them back to the same person. Then there is the additional problem of behavioral and timing analysis assuming you made those transactions around the same time and continue to make the same number of transactions each week, month, or another specified time frame. So even if you buy them P2P, the same method can be applied.
If my reasoning is flawed or I'm basing this on an incorrect understanding of the current implementation, let me know.
Tip Monero to yuzuki 
86GEJPxGRCyYBzQC18xTq1hzv2z2Trpu2RLwcLsgmQEw8itpca2eXknCuoBXo8jw5pevfcwNiHkGf4S257nDG4wLEZuYRXd
Publish Tip to yuzuki 
852XVfJZLuXC5FGqTNXdKB7c8AwLgWgTfH8Kr2P48VAAKbGSXyBXV2qDYwyHScfGhTRLaM1C3CdzogtgUAeZVxQC7hw4KHy
