However, regarding cryptography, the NSA's cryptographic expertise and resources are secret, so it's very hard to include them in a threat model.
They could know more than civilian cryptographers, have new direct attacks that we don't know yet, e.g. algebraic attacks and specialized hardware to solve gigantic systems of equations. Or, they could have a working quantum computer with many qbits. We don't know, do we?
My threat models for my clients use a state sponsored APT, and generic SIGINT and HUMINT agencies all the time. The idea being that SIG agency does passive interception and traffic analysis, where the HUM agency does targeted collection, and the APT is opportunistic zero day.
It's not just the NSA, it's literally everyone else as a class of threat they might need to consider. Also, I use opposition researchers as threats for politically exposed people, and who cross over into foreign spy level stuff.
The controls it prescribes are straightforward, and realistically, it's a risk you just understand, do your best to mitigate it, and accept.If you are going to not do business because you are afraid of state level consequences, you've got a legal/regulatory problem, and not a technical one.
That leak says something about the resources, not the expertise. For example both the NSA and almost every NATO equivalent of it tends to design cryptographic primitives with openly documented “weird” interfaces (key checksums, self-synchronizing remarkably slow stream ciphers...) and probably nobody outside of these agencies really knows why.
