A couple of notes to add that aren’t completely ELI5 level answers but worth noting.

One is that there used to be a pre-configured default of 3 hops in tor. Although that could be overridden, few changed it. That made it less difficult to identify origins through a few different ways (such as timing). If “they” (such as a hostile government) managed or controlled enough nodes (around 50% I believe, which it turns out was trivially easy to do when there weren’t all that many active nodes in use), then there was an almost certainty that they controlled all 3 nodes for a given connection and therefore could determine source and origins fairly easily. I assume that’s changed in the past 5 years?

The second thing to note is that ultimately, regardless of how many hops you do, the final destination website can identify you may different ways. An obvious one would be if you go to a website that requires an email address. It is increasingly difficult to obtain an email address completely anonymously – and the few places that will still give you one are banned or rejected as valid email addresses by most websites. And most sites that issue acceptable email addresses only do so after you’ve provided them with some form of traceable identification (such as a mobile phone or another, traceable email address). And if you created that email address while not on tor, then it’s likely that you are traceable back through your ip address.

Users of tor need to understand that no amount of obfuscation and encryption is any good if you simply give up your anonymity the moment you’re on a website while using tor.

Tor browsers by default will try to prevent website code from asking your browser who you are (JavaScript, Facebook icons, unique identifiers etc) but these same tor browsers allow users to override these safety measures fairly easily – and wily websites will often intentionally make it frustrating for users to use them with these safety features enabled.

A frustrated tor user may decide to lower or switch off some of these tor capabilities, forsaking security for convenience. And in doing so, allow websites to quickly ascertain data on the user that the tor browser was trying to prevent being known.

And while there still remain ways to keep your identity completely anonymous and untraceable while using tor, those ways are becoming more and more difficult to achieve without extensive and current technical knowledge. Meaning that for the majority of non-expert level tor users, you shouldn’t assume your identity is unknowable or untraceable. You’ll likely give it away at some point.

Obviously many technical people will argue this point, but it’s likely that these are people with sufficient technical prowess and motivation to stay ahead of the game. For the rest, probably not so.

My point is this. Those that aren’t highly skilled at security may believe that tor browsing provides complete anonymity with little effort or regard on their part. And people asking ELI5-level questions are probably the most vulnerable to this mistaken belief. For the rest of us, it’s worth remembering that when we explain tor et al to the masses.