There are so many more ways one could screw up, and you only need to screw up once. For example, does X do browser fingerprinting and did you ever use similar setup to use a more identifiable Twitter account? Are you using unique phrasings or behavioral patterns? These things can be solved to a satisfactory degree, but I don't think "it's not hard" captures it - for an average user it _is_ hard.
> Are you using unique phrasings or behavioral patterns?
Why would Twitter voluntarily run that sort of query to satisfy a subpoena?
Whether it's difficult and risky for the average user depends on the threat model. "Twitter doesn't directly have my name, address, or phone number sitting in their database next to my account" is easy. Other things are more difficult.
Phrasing idiosyncrasies are publicly observable and anyone can note - as external observers did in Kaczynski or Hanssen cases - that a particular phrasing is quaint. It is probably true that Twitter is unlikely to run a browser fingerprinting query to de-anonymize someone tweeting spoilers from a softcore porn show. But a potential leaker has to ask: "how sure am I of that?"
