Thanks @mleku for giving an answer with some details, and @epsql for raising the quantum-resistance point about TR While witnesses have a discount, normal monetary transactions also benefit from the same discount as they also use the witness What concretely could be done differently? Maybe the discount should apply only to small witnesses, so that larger - potentially spammy - witnesses pay more? (It's too late to include this change to the discount rules, as it's a consensus change, but I'm just curious to discuss these issues to learn more)

ecdsa and schnorr signatures are both vulnerable. there are no signature algorithms with as small data size as these algorithms, smallest post-quantum signature algorithm has 96 bytes, most others are upwards of 600 bytes long. every transaction has one so a quantum upgrade would probably not even use any of the ones that are known currently, but something in the future when someone figures out a compact signature for post quantum algos. lattices are too big, multivariates are better, and there is also the possibility of short coding algorithm signatures, as well as hash based signature schemes that use similar techniques as merkle trees. taproot addresses don't expose the public key until spent same as other transactions. the address is the hash of the public key, which is verified when signed by revealing the public key. this is why you should not reuse bitcoin addresses.