> Are you saying that a "hybrid KEM" is different in theoretical risk from chaining two KEMs?

No, I'm saying that "hybrid KEM" or "chaining two KEMs" is very distinct from "encrypt twice". Confuse the two at your own peril.

> To the extent we know what KEM is, we think it is just encrypting the key used for the rest of the bulk encryption.

Encryption is reversible. If you have the key, you can decrypt. It's not encryption if you can't decrypt.

KEMs are their own class of algorithms. They combine an asymmetric encryption scheme with an all-or-nothing one-way transform (usually a key derivation function built on hash functions). It's the safest way to hold asymmetric encryption in practice (even not considering PQ; RSA-KEM beats RSA-OAEP in implementation safety).

Calling KEMs "encryption" is misleading to the point of malpractice. I will push back on conflating the two.

> Whether or not people understand the nuance of encrypting the block cipher keys or encrypting the blocks themselves, I think we all mean to stack the two encryption methods for defense-in-depth protection.

Your only defense-in-depth should be in delivering a strong pseudorandom ephemeral key over an untrusted network, and then using the tried-and-true AEAD constructions that we're already using today. Encrypt once. Do whatever you need to do to get the key exchanged securely.

I write a blog that very regularly covers applied cryptography. I deal with newbie confusion all the time. It's very important that we talk about these things correctly on forums like Hacker News comment threads so that the people learning from us won't get more confused.

Please don't call KEMs "encryption".