> This is the supply that a sufficiently powerful quantum attacker could steal by inverting ECDSA/Schnorr signatures
While I only read approximately one more sentence than you did of tfa, I would also like to know what "sufficiently powerful" means and why we don't want public keys to be public
Yes; and that's the right instinct. Public keys are designed to be safely public under classical assumptions: deriving a private key from a secp256k1 public key takes roughly 2^128 operations classically, which is practically infinite.
The quantum caveat is that Shor's algorithm solves exactly that problem (elliptic-curve discrete log) in polynomial time on a sufficiently large quantum computer. So "this key is public" goes from "safe by design" to "spendable by whoever builds such a machine," if one is ever built.
Bitcoin's address design actually anticipated a version of this: most address types don't put the public key on chain at all, they put a hash of it (the "PKH" in P2PKH/P2WPKH). The key is only revealed the moment you spend. Hash functions hold up under quantum attack (Grover's only halves the margin), so coins behind an unrevealed hash stay protected even in that world.
The 25.3% is the set where that protection is already gone: early pay-to-pubkey outputs that embed the key directly, Taproot outputs (the address IS the key, by design), and - the largest bucket - addresses that were reused after a spend, which reveals the key permanently.
So: public keys being public is fine today. The measurement is how much value sits where "fine today" has a quantum expiry date attached.
While I only read approximately one more sentence than you did of tfa, I would also like to know what "sufficiently powerful" means and why we don't want public keys to be public