If you give the same address out to different people, they can collude to figure out they are paying the same person (by trivially comparing addresses). This is solveable with the diversified addresses feature, but given the above question, I will treat this as out-of-scope (because the adversary is the only person with the address).
Assuming that the adversary does not have access to an efficient quantum computer, they learn nothing (that someone without the address couldn’t learn) from fully-shielded transactions:
- Shielded addresses are not visible in transactions. They are present in an encrypted form in Sapling outputs, but the corresponding encryption key can’t be derived from the address.
- The sender of a note to an address cannot compute its nullifier (in Sprout they need the spending key; in Sapling they need
nk from the full viewing key) and thus can’t tell when the note is subsequently spent.
In shielding and unshielding transactions, the shielded part retains the same properties as above, but the transparent part leaks information (as @garethtdavies mentions above). For example, if the adversary sends some particular value X.xxxxxxxx to the shielded address, and then later sees the exact same X.xxxxxxxx getting unshielded to a transparent address (and nowhere else in the block chain), they can be reasonably confident that the unshielding transaction is from the same address.
If the adversary has access to an efficient quantum computer, they can compute the incoming viewing key from the address, and therefore see everything that an incoming viewing key can see. That is:
- They can detect every transaction received by the address.
- They can decrypt and see the note values received, and the corresponding memo fields.
Note that this requires the adversary to have access to the address. They can’t arbitrarily decrypt transactions on the block chain, because what they actually need to do is break the Diffie-Hellman part of the output key derivation, which requires either knowing the address and recovering the private part of the ephemeral public key in each transaction (to then compute
DH(pk_d, esk)), or recovering the incoming viewing key from the address (to then compute
DH(epk, ivk)). They would of course do the latter, because they only need to do so once in order to then detect every incoming transaction).
They can’t see outgoing transactions, or detect when any particular note sent to the address is spent, because breaking those parts of the key structure would require breaking hash functions or symmetric cryptography, neither of which are (currently) known to have efficient quantum algorithms.