It's true that HE is a backbone but there is an enormous difference between having bits of your traffic transiting a firehose and sending your entire session thru someone's endpoint.
The latter is much more comprehensive and identifiable.
This isn't to throw shade at HE; I don't recall any complaints about their integrity. It's just to say HE's tunnel is in a practical position to monitor, should they choose or be compelled.
