who is aware of the query is not all that matters ; the apparent

origin of the query also matters, depending of the position of the

attacker.

Sure, but keep in mind: Even if an attacker could gain access to all
root zone servers, he could not see the necessary follow-up queries on
TLD level (e.g. country domains, or .com, .net, etc.) and beyond. If I
looked up host.somedomain.fr, a root zone snoop might show my interest
in a French domain, but nothing else.

Currently, when a resolver receives the query "What is the AAAA
   record for www.example.com?", it sends to the root (assuming a cold
   resolver, whose cache is empty) the very same question.  Sending the
   full QNAME to the authoritative name server is a tradition, not a
   protocol requirement.

Does the version of the recursive resolver you're using

do this?

Or does it send only the minimal name required?

T