There are too many features we don't support yet, which makes anonymizing in the top query unfeasible.
Leaf subqueries referencing sensitive table should be the anonymizing ones.
That means no joins, no filters, no unsupported bucketization. Everything post-anonymization should be allowed (including ORDER BY, LIMIT, OFFSET, SELECT with grouping, and HAVING in the anonymizing subquery).
There are too many features we don't support yet, which makes anonymizing in the top query unfeasible. Leaf subqueries referencing sensitive table should be the anonymizing ones. That means no joins, no filters, no unsupported bucketization. Everything post-anonymization should be allowed (including ORDER BY, LIMIT, OFFSET, SELECT with grouping, and HAVING in the anonymizing subquery).