Everything in a MimbleWimble chain, and even at the transaction broadcast level, look like sorted sets of uniformly random curve points. There are no amounts as you point out, but there are no addresses either.
If Alice gives you a coin and then you spend it to Bob, what stops Alice and Bob from identifying that they delt with the same person? This isn't an issue of addresses or values, but the transaction graph. The only thing that hides that in mimblewimble is aggregate transactions. But again, they don't hide it if you see them assembled. To such an attacker , the transaction graph is entirely intact.
The transaction graph (apart from private aggregation) is intact to an attacker who has seen all transactions being broadcast, but can then only relate outputs that they themselves have been involved in (like Alice and Bob in your example) to real world identities. This is the great advantage of having no addresses.
So now, tell me what that "attack" gives you?