That's assuming that the issuer, mediator, and destination are all distinct entities who don't communicate with each other except as described in the protocol. If they are the same entity, or they collaborate, all those nice privacy guarantees disappear. And the destination—not the user—decides which issuers & mediators they accept.