We've expected that lattice KEMs would only be used in hybrid combination with establish elliptic curve key exchanges, which ameliorates any weakness in the lattice KEM.
In particular, there exist worse side channel attacks upon lattice KEMs than upon elliptic curves, because of how the sampling code works in lattice KEMs.
We know less about choosing parameters for lattice KEMs too, and there was interesting discussion about how lattice KEMs reveal system randomness, so overall lattice KEMs do have a slightly higher risk from classical attackers than elliptic curves.
[archive.org](https://web.archive.org/web/20260218044903/https://mailarchive.ietf.org/arch/msg/tls/-Te4ZxhhFiQ9CwPaLnAta63mCn0/). [DJB has NSA and IETF, part 5](https://blog.cr.yp.to/20260219-obaa.html) but it seems overly long.