If ECDSA will be broken (and only that), then we can just create a new address type, and move all coins there. In case of Taproot, all that is needed, is probably just disabling spend-by-key.

For SHA-256, the situation is more difficult, but in that case, we will be alerted in advance. If you ever see block headers with 128 leading zero bits for SHA-256, that would mean reaching the collision level, and transitioning to something else. I wonder if that process will start even faster, when chainwork will reach 2^128, just to be 100% sure.

Protecting SHA-256 is harder, but still possible. It requires rehashing everything with some new algorithm, maybe even in some backward-compatible way, where you could have some 512-bit hash, with the first 256-bits being always identical to SHA-256, and the next 256-bits being generated by some other hash function. I also expect the same kind of stuff that happened with SHA-1: you have the real SHA-1, and some hardened version, that can protect you just from some discovered attacks, and nothing else.