It's well-known that direct message metadata is public on nostr since everyone can see who is messaging whom and when. One solution to this problem is for the entire event including its metadata to be encrypted before being sent. This outer event can be encrypted and signed with a random key pair, thus hiding the true sender of the direct message.
Alternatively, one can encrypt the kind 16 with one's own key pair and send to an intermediate pubkey which is responsible for forwarding the message on to the final recipient. This too would provide anonymity as long as the intermediate pubkey is receiving messages from different users, and effort is made to remove correlation based on timing.
On receiving a kind 16 event the client should decrypt both the outer and inner content, displaying the decrypted inner content to the recipient.