2. so how this is different than brute-force from just an address?
Quantum computers do not provide a sufficient speedup for symmetric cryptography which is your RIPEMD160 and SHA256 which wouldn't allow them to be able to get to your ECDSA public key which would be required for to be able to get your private key from your public key.
i think it would be reckless to make that assumption. it underestimates the potential power of the adversary's hypothetical machine. we may be talking about the same situation as a race attack. if the adversary forces a holder to spend all their coins as mining fees, the end result is the same---he loses his coins and they are recirculated into the supply.
it's also very unlikely that all holders of vulnerable outputs would be in a position to race the adversary. we're talking about a window of minutes or even seconds.
I would think that a collusion with a mining pool would make this far easier with them only accepting the attacker's TX. I couldn't find any other relevant information regarding the number of qubits required but I remember that you'll need a fairly high number of qubits to be able to pull this off within an hour. All the scenarios described are purely hypothetical. I wouldn't really believe that the adversary, if it's a government would truly be interested in attacking Bitcoin as it's merely a low hanging fruit with fairly low rewards.