A few questions

I am trying to make a 2nd address that I can use publicly without everyone knowing how much money I have. I have already deposited and withdrawn to a new account using the relay feature. I have a few questions about privacy and the protocol.

1. If I have 2 addresses in the same wallet, is there any way for someone to know that the same person owns both of them (this one may be a stupid question I know, I’m already 98% sure I know the answer to it but I want to be 100% sure)

2. I’ve noticed the tornado cash front end keeps track of my notes. Is this done through a cookie, and if so, shouldn’t I be concerned about 3rd party websites looking at my cookies?

3. Is there any privacy concerns I should think about when I try to claim my AP? If I claim my AP using my non-public address, is it possible someone could figure out what withdrawal was mine by seeing when I deposited seeing how much AP I got then just using math?

1. Not a stupid question. Generally, no. However, cookies can make associations between two accounts when you haven’t cleared your cookies in between using them at login. It is also good opsec to use entirely new wallets from seed phrase between mixes. You can use MyCrypto to easily generate a new wallet and import it into metamask
2. I’m fairly certain they’re kept in local storage in your browser. This is generally secure, but of course can be hacked similar to keeping an unencrypted private key on your desktop. I would not trust it with high amounts of notes. Someone might want to correct me on this, though
3. Yes. This is a perfectly valid concern, and it is a legit vulnerability. What can you do? Couple things: (a) don’t spend all your AP for TORN in one claim. Spread out the claims to multiple wallets in smaller withdrawals (when you swap AP for TORN), or (b) accumulate multiple notes before withdrawing and then claim all the TORN at once or in smaller batches like in option (a)