Because you'd still know everyone who went to a specific site because they'd be sending you unique hash. Even if you ignore that, you'd know what clusters of people all use the same sites, how often and when.
That was the intent of the bloom filter. Configured properly it would actively filter out the need to endlessly send the server requests like "Hey, have anything for this hash?"
However I suppose that if the site does have comments, then you do have to make requests to the server to get them...
Still, I believe you're being overly pessimistic here. I think there may be some solutions to this. Maybe not perfect, but better. Lets say our social network "Ascenter" has become corrupt and is looking blackmail its participants. What about this?:
The design currently requires you to send a sha(URL+salt) to the server to look up comments. This prevents Ascenter from directly knowing what site the comments refer to, but the comments themselves will be a big clue. What if to look at the comments you have to decrypt them using sha(URL+salt2)? Ascenter will have no means to derive this key, it will only be able to determine how many comments have being placed and how large they are. That improves things a bit...
But Ascenter might be able to crawl the web to discover conversations. Particularly for salacious sites if it's looking for blackmail. So... What if the salts are the answer to that? If you had your own set of salts you could use them to create your own private groups, Ascenter would have no way to access that conversation. Or even figure out that they have occurred.
With the presence of public and private salts, what if the browser plugin itself could be configured with a blacklist of sites not to send requests for? You could still have private channel comments, but not public. I could see the community per-generating a black list...
One last note I'd end on here is that the level of trust we are expecting right now is a huge bar lower than the level of trust we give general social networks
Consider what HackerNews could do if it went rogue like like Ascenter? To blackmail you all they would need to do is go to one of your old comments, rewrite it as something salacious, then blackmail you with it. Comments on HackerNews arn't signed, and arn't encrypted. We're quite vulnerable to them.
edit: sorry for the long post. This was a bit of a stream of consciousness.
TL;DR: The bloom filter limits the risk, and I think there are cryptographic solutions that reduce the level of user exposure to below that of current social networks.
The bloom filter wouldn't stop you from confirming folks gathered around any specific page that has content, and would have a fixed probability of leaking data even if there was no data there.
And that ignores the problem that you're not going to be able to sync the bloom filter in real time, so now you're going to need to have a very merge-friendly design for these annotations.
No, I'm not being pessimistic. This is just a candid analysis of the difficulties of doing this competently. If you'd like to do it incompetently, feel free.
you could easily make this privacy safe.