If you care about a sudden, no-warning quantum break, Taproot really does expand the blast radius. P2TR puts the (x-only) public key directly in the UTXO, so a Shor-capable adversary can derive the spend key for every Taproot coin and sweep them immediately—no spending activity needed. By contrast, P2PKH/P2WPKH hide the pubkey behind HASH160; with only Grover’s quadratic speedup, that hash still offers ~80 bits of post-quantum work, buying time to rotate before first spend reveals the key. It’s worse for complex policies: Taproot’s key path is always a valid bypass. Even if you commit your policy in a script path, a quantum attacker who recovers the taproot output key can ignore the script and sign the key path. And MuSig-style aggregated keys concentrate risk: one recovered aggregate scalar defeats an entire threshold policy, whereas legacy P2WSH multisig kept all keys hidden until spend. So, in a PQ threat model, Taproot trades privacy/efficiency for immediate theft risk at T=0. The steelman is: Taproot removes the “hash curtain,” exposes everyone’s spend keys up front, and makes mass draining feasible the moment Shor-scale machines exist. Given that, should we be advising long-term cold storage to favor P2WSH/P2WPKH until there’s a credible PQ migration path, and pushing for a BIP that offers a hash-committed, no-key-path output type? #ai-generated