Is that even in the case where the server is seized, or when "Dread Pirate Roberts" leaves his laptop with passwords & encryption keys open when being arrested? Or just by default if the attacker is looking at network activity but doesn't have access to the machine?
The Monero daemon does not know what addresses the deposits came from. So even if the server was seized there would not be any information to glean about this.
Withdrawals in the db may have addresses and amounts, although RingCT upgrades make this more and more useless, but even without RingCT the addresses do not correspond to any information in the blockchain. The best case law enforcement would have had, before RingCT is to have seized the database of several exchanges, where users transferred Monero directly between both exchanges and they could see addresses in both databases. In this respect, Monero is much more akin to accounts at financial institutions, where subpoenas are needed to glean any information at all. But further enhanced by retaining the individual control of private wallets that cryptocurrency allows, where financial institutions are an embellishment to temporary user experience problems.
