> unsafe standard PoS

Not "unsafe standard" but

"dangers/unsafe to bootstrap".

But there are ways to mitigate the bootstrapping issue to some degree.

And PoW chains tend to have a low cost at the beginning making them similar not easy to bootstrap safely (through more easy then PoS).

In the end I don't think what theoretically is better matters, what only really matters is what practically matters for big crypto currencies (and smaller ones can during bootstrap (and potentially later one) interlink with the large chains).

PoS is more quantum-resistant though. If someone were to build a quantum computer capable of running Grover's algorithm on bitcoin hashes, they would get a quadratic speedup over classical miners. That's a threat that doesn't exist on PoS.

(Both would be vulnerable to Shor's but post-quantum signatures would fix that.)

Is there a known limit for the energy to hash ratio ?

The system is fault tolerant. You typically get 99.X% participating. Any validator that doesn't perform their duty in a timely fashion is penalized and eventually ejected if they are disruptive.

Those private keys are useless unless you had something like 50% of all the active validators' keys. So, hundreds of thousands of private keys hacked. You're not going to be able to damage consensus using a few old leaked private keys. The best you could do would be to slash some active validators and get them ejected, but the chain would carry on finalizing without them.

Whoever the 260k are (and I know some of them) if they’re all one entity, they would have had to stake eight million ETH and counting into the ETH2 deposit contract.

The 8k are randomly selected from this pool of 260k validators via RanDAO every 12 seconds.

It's similar in that 8k sigs are collected and coalesced to sign something. From there the differences begin. M-of-N schemes must be orchestrated ahead of time, using Shamir's or by constructing a BTC multisig UTXO or something. When signing, one may choose freely among the key shards. It's performed in the usual execution layer of the chain.

Whereas in ETH PoS, validation happens in the consensus layer, following strict self-imposed rules. With each new block, one validator is chosen to propose the block, and thousands of validators are asked to back the proposer. The proposer and attestors are chosen randomly but specifically with no freedom to mix and match; the chosen validators must attest (and receive a reward) or else be penalized. Validators don't know each other and they don't need to cooperate to create a shared key ahead of time, all they have to do is deposit and follow the rules. The signatures are agglomerated by [BLS ellipical curve stuff idk it's magic] and help to form the consensus chain itself.