If you have serious issues, I suppose it's always possible to block the exit nodes from the specific HTTP endpoint where the trouble is caused, or require authentication at that point, even if I would advise to be very sparing with such measures.

For the law enforcement route, a judge could be convinced to order tracking the exit node's incoming connections for purpose of tracking the child abuser down, then the relay node, then the guard, and yes these change frequently but rinse and repeat and you'll get it eventually (speak of dystopian...). The barrier I see is that some jurisdictions will find it disproportionate to track all incoming connections and relays and guards (this will fan out) for only one abuse case. You'll really have to get every involved country on board in whatever you're pursuing, so it ought to be really bad and otherwise you can suck it up. So you make a good point that you can't simply enforce anything even if that's broadly illegal under the current system.

VPNs are much easier because they're a single entity and so there's no huge fan-out (don't need to wiretap/subpoena tens–hundreds of entities, just have to ask 1 entity for data on 1 subscriber, or compel them to produce it henceforth if they don't have it). If they didn't do logging in the past, indeed you'll need to wait for a repeat offense, so again I suppose you're right that an IP+ts isn't enough. Does this speak in favor of the private key government-backed identity? I'd honestly really rather it didn't