@knaccc trying to understand what was written.

I think that less than 128-bits hurts security in theory, but in practice ~128 bits of security is okay. For example, curve25519 doesn’t have exactly 128 bits when you clear the cofactor. Most likely, Pieter was talking about a significant decrease, not sure.

Reasons why I would personally choose more than 128 bits of entropy would be just incase the entropy is not as unpredictable as I would like, ie to add a security margin. 

And also your point on, if the Hash function is later seen to be exploitable. For this I would also choose 256 bits just incase the exploit allows the attacker to recover half of the seed. If 256 bits was used, I believe it would reduce the security to 128 bits in the worse case.

A different thing I would consider is that not all protocols that have 128-bit security are the same. I would also think about how easy it is for the user to mistakenly lower their security level. For example, if I had to also allow users the option to use a phrase to seed their wallet, I would mandate that the phrase be the length of a Shakespeare book. Not sure if that would even help though