It works by lumping the coins of all the users together, breaking any direct connection between the endpoints of any given transaction.
Suppose Alice makes a deposit at the bank, but in the margin of the deposit slip she writes "for Bob". The cashier at this particular bank records a credit of $1000 from Alice, then prints and mails $1000 of cashier's checks to Bob, recording that series of debits as well. Later, the authorities raid the bank and seize its ledger. They can see a credit from Alice and a bunch of debits to Bob, but there is no transfer between Alice's account and Bob's account; this only proves that Alice could have paid Bob. If this bank has hundreds of other customers making similar transactions every day, it's basically impossible to use the ledger alone to prove any connection between Alice and Bob.
Now scale that up so that "the bank" is actually a consortium of banks that also perform a bunch of transactions among themselves to further obscure any associations among customers.
It's now easy to tell you're the thief as you own all the bills with all the ID numbers that were registered as used for the sale.
You then put it in a big box together with a thousand others who all also have $1k. You then shake and tumble the box, and then hand out $1k to each and everyone of them.
It's now quite hard to determine who is the thief, as everyone has about 1 registered bill, but 999 unregistered bills.
Then magnify that by a lot and throw in some extras, and it gets tricky.
Monero is not a magic-cure-all! Monero needs a very big warning like Tor Project says, how Tor is not alone going to save you.
Another big piece of management is a tree-shaped wallet-graph. You want to split your money regularly, then churn and obfuscate each wallet. And NEVER JOIN THEM. Even with Monero there is no safe way to join amounts. If you split into Wallet1 and Wallet2, then 10 transactions later they are running low and you want to consolidate, then you run a high risk of correlating all those transactions.
At this time, there is no official guidance on how to use Monero safely.
I don't think there ever will be :) It all depends on risk tolerance, as you correctly noted.