If someone is trying to attack the system, then the security is as if there are 2128 distinct private keys, even though private keys are actually 256 bits long and pubkey-hashes are 160 bits long.
That does explain the factor 4 billion difference, but I don't understand why the security would be based on 2
128 and not 2
160.
Is that assuming 4 billion used addresses?