Agreed. And I see there’s a big difference between a private-tx sidechain which only causes risk for those who opt-in to use it - and private voting for L1 governance, where the risk is taken by the entire network.
I see your concern about accountability of heavyweights. But I think I have a better idea, and it won’t come as a surprise: What if we bound the voting power of individual entities and people by making private-voting sybil-resilient? At least to a bounded extent? This could even be the basis for quadratic voting which cannot work without sybil-resilience.
Imagine you could only vote (privately) if you provide proof-of-personhood (i.e. decentralized from Encointer, or through centralized/federated KYC registered on KILT?). This is not fantasy: We could basically combine this, this, and this, all rather low hanging fruits by now
This way, we would protect privacy of individuals and address my concerns in the OP, while conserving pseudonymous accountability for institutions