> AES-GCM-SIV has increasing likelihood of nonce reuse after 2^32 messages.
While I agree on your cautions, this is still an exceptionally large number. Also AFAIK the actual bound depends on the message size, e.g. you can "safely" encrypt 2^64 messages of ~128 KiB each with the identical key but random nonce. So as long as one keep using as random nonce as possible but allowing for a few exceptional reuses, casual developers indeed have a very low chance to actually reach that threshold.
While I agree on your cautions, this is still an exceptionally large number. Also AFAIK the actual bound depends on the message size, e.g. you can "safely" encrypt 2^64 messages of ~128 KiB each with the identical key but random nonce. So as long as one keep using as random nonce as possible but allowing for a few exceptional reuses, casual developers indeed have a very low chance to actually reach that threshold.