Correlation attacks only work when you can see both ends of the traffic. When you visit an .onion address, there is no other “end”—all traffic stays within the Tor network and goes directly to the hidden service server, which is ‘just’ another relay within the network.
I would assume that the NSA runs enough TOR nodes to correlate traffic from one side of the network to the other side at least a decent percentage of the time. I would also assume that they have a realtime view of the number of bytes entering or leaving any datacenter.
