In that case, active attacks against Weierstrass field arithmetic isn't part of your threat model and ECDSA/ECDH over the NIST curves is fine.

So this is something that can't be done en masse? Okay, thanks.

>> Threat model wrapped in tin foil? I don't understand what you mean, are you suggesting paranoia?

That term likely means one of two things: guarding against a particularly capable attacker or paranoia for others

NSA dragnets won't decrypt things using dodgy curves for signatures (ECDSA), only things using dodgy curves for key exchange (ECDH).