The only thing that falls apart is the IP address identification, which is only a very small signal for identifying an internet user. X/Twitter undoubtedly has more identity information than just an IP address.
Doesn't matter if the device you used phoned home with your IP address and any kind of identifier. Your OS that sends telemetry every 7 seconds, a windows update check, another tab with a social media account open. It's easy to cross reference that stuff and figure out what a person's regular ISP is. Almost nobody uses a VPN 100% of the time and at the router (because your OS will phone home before you desktop finishes loading).
Twitter won't have your various device IDs and VPN IPs are typically shared among many clients simultaneously. You could certainly generate a suspect list but I don't think you'll get conclusive evidence.
That said I don't know how much browser fingerprinting Twitter might be doing and if fingerprints from other services might be possible to crossreference. Much higher risk is probably visiting other sites both with and without the VPN using the same browser without thinking about it and thus leaking your fingerprint or even account cookies that way. Or if you don't run a filter then visiting a site without the VPN that embeds Twitter tracking assets would leak to them directly.
You're right that you can end up with a suspect list instead of a direct answer, but it shouldn't be hard to narrow it down from there, especially in a case like this where most people wouldn't have access to privileged info about unaired shows to start with. It also helps if you have more than one IP address to start with. You can end up with multiple suspect lists, but only one or two people who show up on all of them.
At which point twitter will probably yell at you to "verify" with a phone number or something else tied to your government name. Yes you could probably go get a prepaid SIM for cash (depending on your country, many now ban this though America doesn't) but very few people bother with it. Or they just lock your account and demand your ID which I think they now sometimes do.
There are so many more ways one could screw up, and you only need to screw up once. For example, does X do browser fingerprinting and did you ever use similar setup to use a more identifiable Twitter account? Are you using unique phrasings or behavioral patterns? These things can be solved to a satisfactory degree, but I don't think "it's not hard" captures it - for an average user it _is_ hard.
> Are you using unique phrasings or behavioral patterns?
Why would Twitter voluntarily run that sort of query to satisfy a subpoena?
Whether it's difficult and risky for the average user depends on the threat model. "Twitter doesn't directly have my name, address, or phone number sitting in their database next to my account" is easy. Other things are more difficult.
Phrasing idiosyncrasies are publicly observable and anyone can note - as external observers did in Kaczynski or Hanssen cases - that a particular phrasing is quaint. It is probably true that Twitter is unlikely to run a browser fingerprinting query to de-anonymize someone tweeting spoilers from a softcore porn show. But a potential leaker has to ask: "how sure am I of that?"
