Apologies for my difficulty to comprehend blinded certificates, but I still don't understand what prevents you from keeping logs which would give away the activity of the users. For example, I created a note and deposited money to an address tied to that note. You could have kept that. Then, when someone sent me money to my public address, you could have known which note was spent in which public address.
Unless the front-end is coded in such manner that prevents the unveiling of that information, I don't know how provable privacy is ensured.
We can't let users choose the fees themselves because all transactions are sent from the same multi-sig so we can't really afford to have any of them stuck for a long time.
Okay, but that doesn't answer on why having arbitrary fee rate. The network could be flooded with transactions in such quantity that maybe 2500 sat/addy is neither enough.