Hi all, first of all I want to second everything that @janhack said, but still add some thoughts to this very interesting topic.
Mimblewimble is a privacy variant of the UTXO model (as used by Bitcoin). In contrast to Bitcoin, Mimblewimble does not even have the most simple scripting language. Transactions can only be private and verifyable at the same time because they are incredibly simple (sum(inputs) + sum(outputs) = 0; no output < 0). This is very powerful technology but only in the very specific niche of sending tokens around.
As implicitly mentioned by Jan, there are different aspects of privacy (which are well defined in the academic literature), including:
ballot privacy: a voter can keep their vote private if they want to
receipt freeness: a voter has no way to prove to someone else how they voted, even if the voter wants to
The second property is crucial if you want to avoid vote buying.
When taking a closer look into this very interesting paper, you see that after casting a vote, the voter can send their private voting key (different from their usual account key) x_i and the vote choice v_i to a vote buyer. The vote buyer can re-compute the vote using public data, x_i and v_i and check if that vote is on-chain. If the on-chain vote matches the agreed choice, the voter gets a reward. Vote sold.