Rest assured, the world's intelligence agencies and cybercrime rings aren't just taking vanilla open source wordlists off github and hoping they get lucky.

You don't know what your adversary's wordlist contains, and assuming you do is a recipe for overconfidence.

Yes, "if your enemy is state sponsored attackers" you shouldn't do many things, like use bcrypt incorrectly, or really passwords almost at all. That's obviously not what I'm saying.

Okay, use emojis in every password, you win, you're right, emojis make your password hack-proof to everyone who isn't the NSA.

That is also not what I said either, but I admire your dedication to engaging in bad faith.