[BCM43]

I'm pretty sure buckets use star certs and thus the individual bucket names won't be in the transparency logs.

[8organicbits]

Ah you're right, they are always wildcard certs. I think I was mis-remembering https://news.ycombinator.com/item?id=15826906, which guesses names based on CT logs.

In either case, the subdomain you use in DNS requests are not private. Attackers can collect those from passive DNS logs or in other ways.