>1. Are users of .onion services protected from the server just as well as the hidden service is protected?
An .onion server, AFAIK, might have the IP of the end point your traffic ended up going through to reach the .onion server, but not of the point of origin.
The vulnerability with Tor, as a user, comes from folks operating the Tor nodes. Adrian Lamo, the guy that sold out Bradley Manning, was running Tor nodes at one points (that's not how he got wind of Manning, but my guess is he wasn't running the Tor nodes for altruistic reasons).
> An .onion server, AFAIK, might have the IP of the end point your traffic ended up going through to reach the .onion server, but not of the point of origin.
Correct. All any tor node gets with any traffic is the immediate node that it came from, and the immediate node that it is going to - only one hop in each direction.
If you get a packet from node C, to give to node E, that packet will be encrypted so that only E can decrypt it. They then "unwrap it" (like pass the parcel, or an onion) to reveal its next destination, F - and this unwrapped one is encrypted so that only F can read it.
(note: precise technical details almost certainly incorrect, but the principle is accurate)
An .onion server, AFAIK, might have the IP of the end point your traffic ended up going through to reach the .onion server, but not of the point of origin.
The vulnerability with Tor, as a user, comes from folks operating the Tor nodes. Adrian Lamo, the guy that sold out Bradley Manning, was running Tor nodes at one points (that's not how he got wind of Manning, but my guess is he wasn't running the Tor nodes for altruistic reasons).