$f$ is defined as a function from the Elliptic Curve group to the finite field used to define the curve, yielding the X coordinate of the point considered. For the purpose of that definition, I'll assume the neutral of the group law (aka point at infinity, and noted $\infty$) has coordinates $(z,z)$, with $z$ a fixed element of the field such that for $x=z$ the curve's equation has no solution $y$ (for all standard curves over a prime field $\mathbb F_p$, and AFAIK all others, we can take $z=0$, where $0$ is the field's neutral).
The set $S$ is the image of the whole group $\langle G\rangle$ by $f$, thus a subset of the field including $z$.
$f$ is almost exactly uniform on $S$: the set $S$ has $(n-1)/2$ elements where $n$ is the (prime) order of $\langle G\rangle$, and each element of $S$ except $z$ has precisely two antecedents by $f$, sharing the same X coordinate. $z$ has a single antecedent, and that's $\infty$.
From a cryptographic standpoint (thus with $n$ large enough that $\sqrt n$ is not enumerable), probability that an enumerable number of independent and uniformly random elements $W_i$ of $\langle G\rangle$ include $\infty$, collide, or have colliding $f(W_i)$ is negligible, and the $f(W_i)$ are (indistinguishable from) independent and uniformly random elements of $S$.
Argument: for a given $x$ in the field, the curve's equation becomes a fixed second degree equation, which in a finite field has zero, one or two distinct solutions. When $x\in S$, the case zero solutions occurs only for $x=z$, by definition of $f$ and $S$. The case of one solution does not happen for standard curves over a prime field (I know no exception for others¹, and if there was it would be exceptional anyway). That leaves two solutions as the only (or at least the overwhelmingly most common) case for $x\ne z$.
¹ That holds for curves with equation $y^2=x^3+ax+b$, which is the case for ECDSA using a prime field. Proof that holds for any ECDSA curve, or refutation, are appreciated.
