I have not proposed this yet in an RFC, but there is an interesting issue. The network knows when it is about to deliver to a relay node. The address of the client is like (client address, relay node address). So you can imagine the last node connected to the relay node knows it is delivering to the exact relay node. Therefore it is easy for the network to encrypt the last hop direct to the client. i.e. the header saying deliver to client is available to the relay, but the content is encrypted to the client itself. This way relay nodes have no knowledge of what they actually deliver, preventing any sniffing of what is being delivered.
This seems to fix any inbound snooping, the outbound is a bit more complex, but follows the same pattern. This way the relay nodes are really kept in the dark, which means even a broke or fake relay node can cause no snooping issues for us.