...and you know which telephone numbers send data to the pager and at which time. That is sufficient to track or identify individuals.
If this is a supply chain attack, the attacker already knows, which pagers are part of the organization they want to target.
What this thread here shows really well, is that the general population vastly underestimates the abilities of intelligence agencies and technology in general.
I feel like there's a very fine balance for the effort required to publish a package.
Too easy and you get npm.
Too hard and you get an empty repo.
I feel like Java is actually doing a relatively good job here. Most packages are at least documented a bit, though obviously many are outdated.