Owning exit nodes is not sufficient to reveal the identity of tor users. Owning a large percentage of relay nodes AND exit nodes could compromise the anonymity, as one could just follow the progression of any data throughout the network. If the traffic volume is small enough to be able to statistically separate the streams from various users, it may be sufficient to surveil relay and exit nodes, instead of actually owning the hardware.
There are limitations: the exit node can mess with the data at will, in both directions, and this is how the FBI owned the visitors to a pedo site. They injected some HTML (I'm not positive that it was HTML/JS, but one would assume) to make the browsers of the users connect to FBI servers outside of Tor. It was a bug in firefox that allowed this.
There are two strategies to protect against this,
1) Encrypt everything; only access SSL sites over Tor. This works in theory because the exit node can no longer mess with the data stream. The only way to reliably use this strategy is to *block* non-SSL traffic. There are so many websites with mixed content, which may pull images and ads from non-SSL streams. Also, NSA may be able to break SSL either by a proper MITM attack (completely hypothetical, no evidence exists) or by owning private keys for some CAs.
2) Block any non-tor access from the system used to access Tor. This is possible at the network level with extra hardware, VMs and possibly with SELinux. If the browser *cannot* communicate over the standard internet, only Tor, then one is moderately safe. It's still important to configure the browser to not send identifiable information for fingerprinting and tracking cookies.
By doing 1 and 2 one is quite safe. It may be fine to use a less safe setup for non-secret stuff, like checking facebook, and contributing to flood the tor network with un-interesting traffic. If the "really anonymous" mode required restarting Tor, the NSA would be able to see this from ISP logs, of course.