By low-trust, I mean a setup in which the servers that the SPV client is using do not receive information that would allow them to track the client transactions.

I imagine bloom filters with a very high false positive rate could do the trick, but I'm not sure, because when building the mixin set in order to send a payment, the client would be constrained to using only the false positive outputs it received. It wouldn't be a random distribution. I'm not sure that's acceptable. It would allow the servers to link the transactions of the wallet together by seeing the match with the filter, even if the wallet is accessing the servers through Tor.

How does the current communication between simplewallet and bitmonerod works, actually? I took a look here and didn't find anything that could hint the answer. Who constructs the transaction? I'd suppose it'd be simplewallet, but then how does it ask bitmonerod for the inputs for the mixin? If there's a RPC call of the kind "give me a random distribution of N inputs with X amount", perhaps SPV clients could send this call, with a high N to many different nodes, and then get only a few inputs from each node. Assuming the SPV wallet is not being sybil attacked, the servers would not know which is the true input.