However, in practice modern systems do ephemeral DH key agreement. Now, Shor's algorithm can be brought to bear on DH as well, but it ratchets up your costs because now you're attacking every single connection individually.
Suppose, miraculously, that you have a Quantum Computer which breaks any modern assymetric crypto for $1M in one hour. That's very impressive, but you won't use it to snoop on somebody's Google searches, that's $1M and an hour per search. "Big booobs", an hour and $1M later, "Big boobs" (ah, that first one was a typo), another hour, another $1M, "Bigger boobs". Not practical.
You _could_ attack the signature algorithm, allowing you to sign messages "as Google" and MITM connections but that's an active attack so it will have very poor deniability. Not a problem if you're the SVR or Mossad, deniability was never part of your mandate anyway, but awkward for the NSA or GCHQ whose governments prefer not to admit what they're up to. And lack of deniability is very awkward if you're organised crooks, that's going to get you banged up.
Right, which is why you'd cut out asymmetric step if possible (obviously not for the general HTTPS case, but okay for backups) or replace the asymmetric step with quantum-safe asymmetric crypto. What confused me was that the parent post was worried about scaling up AES to become quantum-safe, which is unnecessary. It's already safe.
