I had no idea that taproot was presented, among other things, as a potential improvement with respect to QC threats. How could this have been given the exposed pubkey? Am I missing something either in my understanding of how taproot works or more generally?

Also what debate are you referring to? I'd like to know more, thanks