PGP was different then. In the 90s the internet was unencrypted and the only people using PGP were those that had a reasonable need for it. However, there were a couple of big problems that the armchair historian would not be aware of.

First off, communicating with PGP was hard. Imagine you are based in London and you want to publish something controversial without getting taken to court. You could email someone in New York and ask them to post your 'hot potato of juiciness'. But, how to you exchange keys without the beloved five eyes seeing what you are up to?

This was in an era when very little was encrypted, so anything encrypted would theoretically get flagged for the three letter agencies to take a look at. Again, this would depend on the person you are trying to reach, if they were working at the equivalent of 'the Iranian embassy' then yeah, good luck with that, you are going to get caught.

The next problem was that PGP was doable for the three letter agencies using what amounts to WW2 Enigma tactics. In period it was possible for them to man-in-the-middle attack an email, to ask the PGP using sender to 'use the right key and resend'. The sender does as told, even with the same, as provided, public key. However, they just change their original message, maybe to remove a typo, change the date or add a friendly note. Then the three letter agency does a glorified 'diff' and they are subsequently in on the chat.

PGP was originally treated as a 'munition' with export controls. People weren't using PGP for their Uber Eats and Amazon orders, as per the article, it was only anti-government people that needed PGP, that being Western 'five eyes' governments.

Hence, even though it is a tedious NYT article, the author is right about PGP, in period. And, don't ask how I know about how PGP was hacked, there was a certain fog of war that went on at the time.