[throw0101a]

> [...] is there any scenario where you wouldn't also want 4096-bit keys?

For the time being, 3072b seems to be "good enough" if you want more than 2048b. It's all you need for official Top Secret stuff (per IAD-NSA), as well as BSI and ECRYPT-CSA recommendation for the next few years:

* https://www.keylength.com

There's nothing "wrong" with it per se, it's just that it's probably not strictly necessary. Why take the (potential?) performance hit by going to 4096 if it doesn't really get you anything practical?

Most people don't seem to care about whether they're using 128- or 256-bit AES, but when it gets to RSA there seems to be a bigger debate between 2048 or 4096 (with 3072 hardly being mentioned).