Grubbs et al. acknowledge in <a href="http://dl.acm.org/citation.cfm?id=2978351">their CCS'16 paper</a> that Attacks 1 and 2 are out of scope for Mylar:

<ul>

<li>Page 1355: "Mylar explicitly does not hide access or timing patterns" 


<!---  Indeed, Mylar's NSDI'14 paper clearly states "Mylar does not hide data access patterns, or communication and timing patterns in an application." !-->

<li>
Page 1359: "every principal in Mylar has a name, which is used to verify the authenticity of keys and thus intentionally left unencrypted by the Mylar developers." 

<!--- Indeed, in Mylar, "the developer specifies which data in the application should be encrypted" using the API in Fig. 2 of Mylar's NDSI'14 paper, and this is the only information Mylar aims to protect. !-->



</ul>