I'm not sure if I understood it correctly but it sounds like they're able to know which website of the top 20 you're visiting based on how much the power usage changed whilst charging.
If that's correct then what's the actual real world problem here?
Power analysis have opens a lot of doors for indirect attacks.
If they can predict which site you're on, they can also possibly detect an unsecured secure algorithm's state.
SSL or PGP had a similar "power starvation" attack: reducing the power to the power supply and watching power drainage allowed one to predict private keys.
There really is none, if you control the environment where someone is charging their phone while using it, it wouldn’t be hard to just point a hidden camera at the screen.
Or just offer free wi-fi and watch people’s traffic.
No, if all you want is detecting which one of 20 websites a user is browsing to, which you can by checking how much power it uses, you can definitely do that from traffic patterns even if the traffic flows through a vpn.
And this ‘leak’ assumes a user has his phone on a charger while it is already full, there is no guarantee it works.
If that's correct then what's the actual real world problem here?