I pointed out two specific cryptographic backdoors. One follows from your premise - a regular person can’t just bust Dual EC because it is based on a hard problem. That’s true for now but it’s also the exception as far as I can tell. Other backdoors by NSA don’t all share that property.

The other example of an NSA backdoor is the DES replacement known as the PX-1000cr cipher. It is claimed also to be a backdoor from NSA but by your framing, it can’t be an NSA backdoor because it was broken by Stef on his laptop without much of a budget. Your framing suggests that because someone found it and broke it, it can’t be an NSA NOBUS backdoor. But as I pointed out even the Dual EC backdoor has limits and so your standard seems unreasonable.

Then there is DES itself which was intentionally weakened by NSA. IBM wanted 64 bits, NSA wanted fewer bits and at the time, Hellman said DES should have twice the bits. Between Hellman and NSA, I guess we know who won.

NSA doesn’t only want NOBUS backdoors. They want almost anything that gets them plaintext first in a reliable manner, and things related to long term security come a far distant second, if at all, as we see in the analysis of the PX-1000cr research.

Also yeah, having a quantum computer will give everyone the secret key for the Q in Dual EC. Recording that traffic now will probably have pay off for non NSA adversaries later if a CRQC is really coming. Who knows if that will happen, but we know NSA is exploiting fear of that happening to push for new cryptography that isn’t a hybrid design including some kind of ECC.