To be more clear, I currently think that 288 work is sufficiently high that it’s impractical for any kind of mass surveillance. If we very generously assume that each “core” / thread / whatever of a quantum adversary could break a single discrete log every 1ns, you’d be looking at around 232 core years to have a 50% chance of finding the ivk for a single address. While I said I don’t know if there are algorithms that could provide multi-base quantum speedups, I doubt they would reduce the runtime enough to make anything more than targeted breaks practical. I’d love to know more about the state of the art in this area though!
Senders and recipients can alternatively (or in addition) eliminate the data that the quantum adversary is decrypting, by transmitting the output notes out-of-band via a PQ-secure channel (which TBH could be as simple as e.g. just sending the transaction data directly between a phone and a merchant terminal), and filling the on-chain encrypted ciphertext with dummy data. The zero-knowledge proof does not enforce the correctness of the encrypted ciphertexts, partly for efficiency, and partly to enable this PQ use case. The downside is that you lose on-chain data recovery.