I find this somewhat naive. If DDG was ever something they wanted to track or aren't currently tracking in some way, they can. I mean lavabit and silent circle were forced to either comply or shut down.
Lavabit and Silent Circle are both predicated on retaining persistent user state (messages, logins, etc.), and could be required to modify back-end code to select on that and either dump state (possibly unencrypted, I'm not sure of the specifics of their methods), provide stream intercepts, etc. The point is: user identification is integral to the services.
DDG doesn't operate that way. Access it through a sufficient diversionary proxy (Disconnect Search, TOR, what have you), and you're simply another (unknown) IP address making another (known) search request. While I won't say it's impossible to tie the two together, the cost is far higher than the case where 1) user search history is explicitly stored or 2) a direct IP history is connected.
Scale your countermeasures to suit your paranoia level / risk model. If you're concerned over browser fingerprinting (https://panopticlick.eff.org/), you'll want to include privoxy as well as TOR.
Note that even unauthenticated users to Google are issued cookies, and undetermined amounts of browser state are tracked. I've got a statement from a Google engineer on G+ that such indicators aren't used to identify accounts, but whether or not they're used to identify end users at all is an unanswered question.
So, short answer: you're right, using DDG of itself isn't a perfect guarantee, but it's a much smaller risk envelope than Google offers, and it can be reduced to pretty near nil with a few additional provisions, all of which hugely increase intercept costs.
Tor doesn't keep the site from knowing who you are. It only prevents an observer from determining the relationship between you and that site from traffic alone, as that is encrypted and obfuscated.
So if you're using Google directly via TOR, you're back in the risk case that your data-at-rest identify you. They can be linked by various means: your username, if that identifies you, by patterns of behavior across multiple sites, by ad syndication networks and shared cookies, etc.
So, no, TOR alone isn't sufficient security in the case of Google.
Your patterns of behavior across multiple sites is not going change whether you're using DDG or Google. And presumably, if you are using TOR, you are not logged into Google, using an incognito window, have scripts to block Google Analytics, etc.
If the NSA is tracking you across the internet outside of Google's Search Box, you've got bigger problems than Search History. Searching for "Bomb Making 101" is the least of your problems if they see you actually visiting BombMaking.com as well as BombMaterialsShop.com
You're postulating a threat model in which anonymized and proxied browsing isn't good enough, because somehow they'll capture all your behavior anyway and then tie it to anonymous search history. My point is, if they can do that, frankly, the fact that they have your search history is the least of your troubles.
This appears to be a threat model specifically designed to sell the DDG use case and fight the notion that using Google un-logged in via a privacy browser isn't "good enough". I'm not sure the case can be made that the DDG scenario is marginally better enough to justify worse search results.
