Moreover, for Case 1, the situation might not be as bad as with BTC, where we are almost certain that no one has access to the private keys of millions of coins (including Satoshi’s coins on P2PK addresses that have a revealed public key and thus are QC vulnerable). In contrast, with ETH, perhaps not a significant part of the supply is lost and people would migrate a big portion of it. Of course I have no proof of that and it might be helpful to estimate the amount of lost ETH.
2b: I haven’t read anything more comprehensive yet except the following idea of quantum proof keypairs from Aayush. There was a similar idea years ago on Twitter in a conversation regarding a possible coin rescue in HD wallets. I found a tweet from Adam Back: “also I think (fairly new thought) that HD keys that were reused could be soft-forked to require a Zero Knowledge proof of knowledge of the chain code and master even if the coin private key was public information. (and soft-fork made not be spendable with direct ECDSA.)”