> Any serious user of cryptography will have switched to the new protocols by the time quantum computers become powerful enough to crack production RSA
Yes, but the NSA could still decrypt messages from the past if they recorded and stored them.
Well, anyone could yes. That's why if you want messages you're sending today to remain secret for longer than a decade, you use a cipher that isn't fully broken by quantum computers like AES. It's really just the key distribution methods that will be broken by quantum computers, they only get a sqrt(n) speedup against symmetric-key cryptography: double the key size and you're golden.
Yes, but the NSA could still decrypt messages from the past if they recorded and stored them.