So after a couple meetings and going through more of the links, including the GPG response, etc.
My thoughts on the #efail vuln:
1) The core requirement is that an attacker needs to get ahold of an encrypted email first. This is axiomatic. This is the thing that they need to decrypt.
The attacker can do either by:
a) Sniffing the encrypted email in transit
b) Stealing the encrypted email at rest.