I'm having trouble even following what you're saying here. A cryptographically-relevant quantum computer breaks all conventional elliptic curve cryptography, not just NSA's backdoor. Everything we're talking about is irrelevant if NSA can break curves with quantum computers.
The point is that if the RNG didn’t artificially add elliptic curves in the form of a back door, even a CRQC wouldn’t be able to break the RNG. Grover can be assumed to reduce the security by roughly ~N/2. A design with a sufficiently large N isn’t going to fall to a CRQC generally. The design of Dual EC which includes a backdoor is strictly worse than a design without a low hanging Q to attack.
NSA expects and is pushing the idea that there will be a CRQC. NSA does not say they will be the only people with a CRQC, and so their hold on a monopoly to exploit Dual EC isn’t forever and will someday be in the domain of a person with a laptop (and access to a CRQC).
I think your entire argument boils down to "there's no such thing as a NOBUS backdoor because practical quantum computing breaks Dual EC". OK. Super interesting point.
I pointed out two specific cryptographic backdoors. One follows from your premise - a regular person can’t just bust Dual EC because it is based on a hard problem. That’s true for now but it’s also the exception as far as I can tell. Other backdoors by NSA don’t all share that property.
The other example of an NSA backdoor is the DES replacement known as the PX-1000cr cipher. It is claimed also to be a backdoor from NSA but by your framing, it can’t be an NSA backdoor because it was broken by Stef on his laptop without much of a budget. Your framing suggests that because someone found it and broke it, it can’t be an NSA NOBUS backdoor. But as I pointed out even the Dual EC backdoor has limits and so your standard seems unreasonable.
Then there is DES itself which was intentionally weakened by NSA. IBM wanted 64 bits, NSA wanted fewer bits and at the time, Hellman said DES should have twice the bits. Between Hellman and NSA, I guess we know who won.
NSA doesn’t only want NOBUS backdoors. They want almost anything that gets them plaintext first in a reliable manner, and things related to long term security come a far distant second, if at all, as we see in the analysis of the PX-1000cr research.
Also yeah, having a quantum computer will give everyone the secret key for the Q in Dual EC. Recording that traffic now will probably have pay off for non NSA adversaries later if a CRQC is really coming. Who knows if that will happen, but we know NSA is exploiting fear of that happening to push for new cryptography that isn’t a hybrid design including some kind of ECC.
