From the point of view of a less-than-technical law enforcement person writing a affidavit in support to get a search warrant, abusive traffic from a tor exit node is indistinguishable from a person who is physically at a specific street address/premises with a laptop or computer engaged in the activity.
They're going to assume until proven otherwise (by first confiscating all your electronics and sending them to a digital forensics lab to analyze them for 6-12 months) that some person who is physically present at that exact location is engaged in CSAM/CP or malicious/illegal activity.
I mean, there is a public list of all tor nodes in the world so it is pretty distinguishable in that sense.
Presumably still worth checking out in case a criminal is running a tor node as cover, but at the same time it seems unlikely someone is both technical enough to run a tor node but also doesn't bother covering their tracks.
They're going to assume until proven otherwise (by first confiscating all your electronics and sending them to a digital forensics lab to analyze them for 6-12 months) that some person who is physically present at that exact location is engaged in CSAM/CP or malicious/illegal activity.