[mjl-]

I'm not so sure it's expensive (in general at least, not sure about their case). I think the typical approach for encrypting data is: Use asymmetric crypto to protect a master symmetric key. Then use that master key to get per-data (eg per file) symmetric keys. Then encrypt all the data with the data symmetric keys.

You can just replace the non-pq asymmetric protection with pq asymmetric protection.

[Out_of_Characte]

I would agree with you if the risk was only the in-flight asymmetric crypto data. But as I understand it, when you use non-pq asymmetric crypto to roll the symmetric key in, then you would still risk the unbreakable symmetric encryption when the carrier protocol gets broken. Reusing the same key would be an amateur mistake. Now, 'just replace the asymmetric crypto' becomes, 'your data is only safe in-flight because everyone knows our shared symmetric key'

All of this is very low risk but anyone wishing to have post quantum encryption probaly wouldn't appreciate three letter agencies having all of the symmetric keys if you ever used the weaker algo versions in a post quantum world.

>You can just replace the non-pq asymmetric protection with pq asymmetric protection.

Would you really feel safe with that?