Just to keep fair criticism here, sybil attacks in coinjoins are easily detectable
They are
easily detectable if the developers have dedicated a part of their software on defending the user from such attacks. Bitcoin Core
has worked on it, for example. The user cannot be expected to use all sort of coins, from different devices, for the sake of confirming they aren't under sybil attack. I haven't found anything substantial in their client's repository.
But you are still passing information to hidden services in clear text.
I still don't get it, though. What does it matter? Alice and Bob are two separate Tor identities.