If I did and I cared about anonymity I would never download a file unless all internet on my machine or VM was piped through Tor (such as using Whonix or some dedicated security appliance). If I was using the Tor browser I wouldn't even even turn on Javascript without those protections for that matter.
On the other side of the spectrum, running Tor on Windows is insane. Almost every flaw I have seen in Tor mostly or only effects Windows users.
Viewed as a munition, the fact that Tor source code was opened up more than a decade ago but well into the post-Patriot act era suggests that its direct value as a munition had become less significant. However, since the release seems to have had the effect of retarding development of alternatives for some years, this might be seen as an indirect value of Tor as a munition.
Practically speaking, Tor on its own and absent an ecosystem of serious security hygiene, is likely to leak data to an attacker with targeted intelligence and barely non-trivial technical means. Because relatively few people have the will and the technical skill and the need to do all the other things that are required to use Tor in a secure manner.
Or to put it another way, in the context of the GWOT, it seems likely to me that Naval Research Labs only provided a free and unlimited crytpographic munition only because it could readily defeat its use by adversaries.
Personally I haven't used Tor except for short casual testing. But if my personal security would depend on the anonymity provided by Tor, I think I'd seriously consider adding an additional layer of protection to avoid information leaking out "to the sides".
Never access files downloaded over Tor outside of those environments, and _never_ mix identities: if you're going to be pseudononymous, don't access files downloaded under another pseudonym or visit websites you'd access (especially if logging in) under another. If you're going to be anonymous, don't save the data: let it be ephemeral, which is easy in the case of Tails, which is ephemeral by default.
Always use Tor Browser, not Tor over Foxyproxy in a vanilla Firefox or something. Don't rely on torify on your normal setup for complete anonymity, for reasons above.
But it depends on your threat model. I _do_ do both things in the previous paragraph for my day-to-day stuff where my threat model involves e.g. advertisers and other privacy-invading trackers, where I'm reading tech-related articles or downloading videos of talks, for example. But that involves a number of other addons as well (e.g. Privacy Badger, HTTPS Everywhere, NoScript, uBlock Origin, self-destructing coookies, ...).
Edit: Forgot to mention: https://www.whonix.org/wiki/DoNot
Use Whonix, not Tails. Tails doesn't do a particularly good job preventing leaks outside of Tor network.
That's the most clean-cut way of not mixing anonymous and regular files/configurations/whatever.
If my life depended on Tor, I would definitely do this.
This is why the feds want to redistribute child porn for weeks at a time. They can't break tor to de-anonymize users. They need to distribute files with beacons in them for this plan to work. Never mind that the police have become the child porn traffickers.
http://disinfo.com/2016/01/why-did-the-fbi-operate-a-child-p...
For example you could download a HTML file over Tor, that file could have a <img /> tag in it which reveals your real IP when you open it in the non-Tor browser. Ditto with Office macros, any scripting language, Adobe Reader, etc. If you're going to just accept through warning dialogs then you're in trouble.
Niche indeed. The potential target group of users who think "just use Tor and you're safe" is vanishing rapidly.
