[tptacek]

If that's really a concern of yours, the only logical responses are:

(1) Don't do any cryptography

(2) Seriously study cryptography so that you can attempt to analyze conclusions axiomatically.

Any other answer requires your to trust people that might be agents of NSA.

[wolf550e]

I guess there is also the approach, not favored by cryptography engineers, which is to decide for some projects that you don't care about efficiency, you would securely combine too many primitives. Like stream chunks for bulk encryption, but each chunk uses both AES-CTR-256 and ChaCha20, both with extended nonces, and HMAC-SHA256 for MAC. The asymmetric part combines X448, P-521, Kyber-1024 and NTRUPrime-whatever, the way normal people combine X25519 with Kyber-512. If people I trust would build "tinfoilhatcrypto" this way, I would use it for some things. The environmental impact of using this for small amounts of data would probably be negligible.