Always sending change to a particular mixer can be a breadcrumb for a prying eye to see.
That's true, and I certainly don't do it all the time for this reason, but it highlights another way these heuristics can be fooled. Let's say I'm paying from a P2SH address to a merchant or service who are also using a P2SH address. I redirect the change to ChipMixer on a P2PKH address. According to these sites, this is a low privacy transaction because it is obvious which address is the change (the same address type as my input), when in fact they are completely mistaken.
If fooling these kind of sites is your goal, then in addition to using mixers, coinjoins, and other privacy enhancing methods, then you should also use a variety of transaction types to obfuscate what's change and what isn't, what's a payment and what isn't, and which addresses are under your control.
As I understand, by artificially imitating common heuristics we can achieve a way greater level of privacy, an even greater one than that after mixing and conjoining. But what I am yet to comprehend is how exactly we can simulate it. For example, you mentioned a method when we redirect a change to a completely different address, the address that doesn't belong to our wallet. How can we do that? As far as I know, change addresses are generated automatically, have a special derivation path, and are usually hidden (Electrum wallet is an exception, though). In order to fool heuristics we should not choose our own change addresses and instead sent UTXO leftover to mixer address directly. How can we control that process if it is usually done automatically by the software we are using?