Which is the case for every wallet in existence. If you aren't connecting to your own full node, then the owner of whichever node you are connecting to will be able to monitor your activity. I don't think this is a vulnerability by any means, especially since Samourai are completely transparent about this fact and encourage people to run Dojo themselves. It is more of a trade off between people wanting some privacy  but not wanting to run a node, and people wanting much more privacy and therefore running a node themselves.

I was looking for a vulnerability where a user could do everything right and still be deanonymized, as is the case for this Wasabi vulnerability.