Then you can compare this "rct" with taproot: you have some public key, encoded directly in your taproot address. You can spend by key or spend by script. If you spend by key, you need a signature matching your "rct", so if "H(G)" is provably unspendable, you cannot spend by key. So you spend by script, you reveal your key, where everything is accumulated, you publish your "aH(G)". Then, that value can be subtracted and to spend your funds, you have to sign it with "xG".
In this case above, you have one x-value, your own private key. But imagine there are more participants. You have Alice with rctA=xG+aH(G) and Bob with rctB=yG+bH(G). Then you can create rctA+rctB=(x+y)G+(a+b)H(G) and pretend it is your rctC=zG+cH(G), where z=x+y and c=a+b. Even if you spend by script, nobody can tell if there is one participant or maybe 40 people mixing their coins for months by doing off-chain transactions for many months.
Also note that you can hide more things in this way, not only your private key. You can hide everything you want to sum, for example coin amounts. If you spend by script, you can prove that nobody can mess up with H(G) and spend it directly without other participants. I can imagine a sidechain peg-in by that kind of output, where you have one huge N-of-N multisig and by looking on-chain you can only check how many coins are locked, but you have no idea how many participants are inside and who owns what. As long as people cooperate, there is no need to touch on-chain coins.