The images and other resources would be part of the query. I don't know how Chrome prioritizes loading of resources, but if it prioritizes those resources in the current view, it might be possible to tell specific information about a page based on DNS traffic.
Example: Let's say Chrome loads resources in the current view first, and you send a deep link with "cancer" as a search term. If a gullible user follows that link, then...
- If "cancer" does not appear, the first resources queried will be those at the top of the page.
- If "cancer" does appear, the first resources queried might be those used elsewhere in the page.
Doesn't it mean that by watching DNS requests for resources, one can also derive which path on a web server I am visiting? For instance when fetching over TLS, such attacker should be able to tell whether I requested https://example.com/dank-memes.html or https://example.com/just-text.html, right? If that's the case, then this feature (ScrollToTextFragment) will not make privacy worse that it is already and the worries are just contemporary security theatre.
The example that keeps getting put forwards seem unrelated to the new feature in the sense that you can do the exact same with a https://url#cancer link .
My understanding was that only the domain is queried, but the full path is not seen by a DNS server.