The rand method starts with point on curve and scales by cofactor..
but it doesn't seem to start from random point - the x coordinate is random,
but then the 'get_point_from_x' method seems to deterministically choose the y coord,
rather than randomly from the two options.
So can we still say the final subgroup point is random?

I think there's a good chance it's just random on half the group.
Cause if the equation is of the form y^2=f(x)
(x,y) and (x,-y) are inverses so
also after scaling you always only one of P or -P

False alarm: The greatest flag with which get_point_from_x is called randomly chooses a y.
ack: @Pratyush