The one vulnerability is if the key exchange was you swapping php keys with LE thinking its a vendor. And even at this point, say you do give name and address, wouldn't GOOD OPSEC eliminate meta for retroactive identity verification? So then, would you say: "The moment of truth would of course be ones determination to maintain good OPSEC which validates his/her plausible deniability?"
I believe so. The only evidence they would have is a package being sent to your address/name if your OPSEC is tight, which would be hard to prove that you actually ordered. Someone please correct me if I'm wrong.
Oh, and this is assuming you clean house before the package arrives of course.