alt Hacker NewsSeems contrived. What type of a person cares about deanonymization attacks and nation-states trying to find him, but doesn't have an always-on VPN? Even without this attack, not using a VPN means you're 1 wrong click/tap away (if you accidentally clicked on a link) from leaking your IP.
Right, agreed that VPN is the primary mitigation against this from a user perspective. But opsec is hard, especially when the attack can be triggered by a notification when the victim might not be expecting it and might not have VPN enabled (e.g. maybe they only enable VPN when using Discord).
(But notifications are already a bad idea for opsec anyway.)