They wouldn't need to. They'd ask his residential ISP to monitor him instead.
If you're using Tor, take it as a base assumption that the exit node is logging your traffic, or even modifying your http traffic.
Tor's value is in concealing the association between your visible access of an entry node, with visible activity on an exit node.
That’s right, Tor doesn’t mean your traffic is completely hidden for the public web. It just attempts to break the link.
The list of exit nodes are public, it’s not a difficult exercise for Five Eye to intercept like >90% of its traffic through the ISP or backbone level.