The other side of Shor's algorithm is that you can use it to solve discrete logarithm (which additionally breaks elliptic curve crypto; factoring breaks RSA).
I don't agree that Grover's algorithm is as fundamental in breaking encryption, since it "only" yields a quadratic speed-up. You'd have similar effective security as in the pre-quantum world by doubling the key length; you could do this by, say, switching to AES-256 instead of AES-128. Meanwhile, switching from RSA-2048 to RSA-4096 only helps if it means the problem size now exceeds the size of the biggest quantum computers.
I don't agree that Grover's algorithm is as fundamental in breaking encryption, since it "only" yields a quadratic speed-up. You'd have similar effective security as in the pre-quantum world by doubling the key length; you could do this by, say, switching to AES-256 instead of AES-128. Meanwhile, switching from RSA-2048 to RSA-4096 only helps if it means the problem size now exceeds the size of the biggest quantum computers.