As for quantum computers, if they ever became a thing than Bitcoin would need to have major code upgrade quickly.
Last thing people are going to think was address reuse, but I agree that should not be done in general.
Warning is not a bad idea, or we could just use more Silent Payments, that way address reuse would not be possible.
I agree that Silent Payments would be hugely helpful. Regarding the core upgrade, the problem is -- as _act_ wrote -- that the signatures for algorithms like Falcon or Sphincs+ are very big, 10 to 50 times the size of current ECDSA signatures (in Falcon-512 for example, signatures are about 700 bytes long). This means this would create a huge additional scaling problem. Thus, I think it's not a bad idea to focus on "low hanging fruits" that could help reduce the number of vulnerable coins, like such an address reuse warning.
The problem is also perhaps not
that far away though. There are some projections that in 2028 there could be a quantum computer with 2500+ logical qubits available which could
theoretically attack an address where the public key is known. It would probably take years or decades though for a single key. To crack a key in a few days, millions of qubits are needed.
Ah, and agree about the warning for low entropy. That's a topic I would need to investigate further though because I've not really an idea how much this is still a problem in modern wallet software.
The problem is that some wallets will not implement it and some people may be very ignorant about it and which will not be good at all. The best will still be to have an upgrade which will be quantum resistant.
I see it that way: People with re-used addresses have to migrate the coins to another address anyway if they want quantum resistance, be it a fresh, never used "normal" Bitcoin address or a post-quantum address. For our lifetime, both options will perhaps, or even probably, offer enough protection because even if current pace in QC research continues, it should take several decades to crack a key in 10 minutes.
And as you correctly wrote the quantum resistant signatures would be very large, and thus it would be preferrable to use another method to make people migrate. I'm not against a post quantum upgrade though. If it's optional, just like Segwit is, then it should not be too controversial.
Why do I have a feeling that this is going to spark a lot of controversy and debate because this is going to look like wallet developers are going to become onchain surveillance, watching addresses that are public key exposed and the ones that are not exposed on the Bitcoin network. We are bringing a solution to take away little privacy we enjoyed with Bitcoin.
Not at all, all blockchain data is public anyway and wallet software is already aware of all data it needs for such a warning.
There are no additional privacy risks: Full node wallets like Bitcoin Core have all data available at their local blockchain copy, and SPV wallets like Electrum anyway already gather the data about address balances from servers. For the warning about address reuse, they would not need more data than current wallets need, the balances (i.e. information about UTXOs) is enough.