Even those are at risk if the key can be cracked in a matter of minutes, since it takes 10 mins on average from publishing your spending transaction to it getting mined, and the attacker can doublespend it with a much larger fee.
This is true. Leaving coins at rest is safe, but moving them before the threat is understood might be risky. Widespread opt-in RBF enforcement could mitigate the risk to some degree, if miners cooperate and shun full RBF after a quantum attack. In the worst case, one might need to submit their "exit" transactions directly to a non-evil miner in order to avoid revealing the pubkey before confirmation. Ideally, this will all be figured out ahead of time, and most non-"lost" coins will be moved over to post-quantum UTXOs before the risk is serious.
