Abstract: Retrieval-augmented generation (RAG) systems extend language model capacity by incorporating an external database. However, this augmentation introduces a novel privacy vulnerability: mapping attacks (MA), which reveal whether a private fragment is indexed and how it is retrieved. However, there is currently no defense strategy specifically designed to counter such attacks. We introduce AMRP-SIP, a dual-randomization framework that concurrently protects both embeddings of the documents and retrieval traces, while preserving state-of-the-art utility. AMRP-SIP comprises three lightweight stages. First, a Random Orthogonal Projection compresses each query and document into a low-dimensional latent space, hiding raw embeddings and reducing downstream noise. Second, Adaptive Differential Privacy injects cluster-adaptive Gaussian noise, ensuring (ε, δ) fragment-level privacy. Third, a score-dropout layer introduces randomness by perturbing similarity scores with noise and probabilistically dropping a portion of the retrieved documents with probability p, thereby obfuscating the retrieval trajectory. Experiments on Wiki-40B, PubMed, and IP-Database demonstrate that AMRP-SIP reduces the AUC of membership inference attacks (MIA) from 0.75 to 0.27.