When IT security professionals talk about methods to tap someone’s communications, they use the term “(attack) vector”. Strong encryption is by definition not breakable, so the only available points of attack lie before encryption is applied, or after the cypherdata has been decrypted. There’s no use “tapping the wire” (like Tempora). You’ll typically want to tap the applications at either end which provide the encryption.
The German “BKA Bundestrojaner” proposed to do this in a way similar to the CDC’s good old BackOrifice, which basically hooked into your webcam, sound card and keyboard as well as providing FTP-style access to storage devices. However getting that software onto the target computer is a challenge. You need to break in, or trick the target user to download and install your software. It requires a targeted effort.
Mass surveillance of encrypted communication requires a massive number of computer systems to be compromised. Take Skype, for example. Let’s assume that its protocol is unbreakable, and Microsoft refuses to allow direct access (as they claim). That leaves two vectors: either a generalized trojan like the Bundestrojaner that is tricky to get onto target computers. Or a modified version of the Skype software, disguised as an update. At its core, it’s the ideal trojan. It’s been done before, e.g. Hushmail served modified updates to some of their clients at the request of Canadian authorities. But let’s assume Microsoft doesn’t cooperate by allowing their Skype updates to be “spiked”. Their cooperation isn’t required if you have the cooperation of internet providers, because you can simply re-route requests for updates from Microsoft servers so that the bugged update is downloaded from a malware server instead, without the target knowing. This can be done for a massive number of users, and it’s not just theory. It’s been common practice in China and the countries of Northern Africa, where governments have served up “localized” versions of communications software like Skype to all users in those countries’ networks.
That’s where Tor and VPNs come in. They can’t prevent this from happening, but they do provide an extra layer of distance between yourself and your internet provider. If all communications leaving your wall socket are encrypted and anonymized, there’s not much they can do. They’d have to infiltrate your VPN end point, or a significant number of the Tor exit servers. While that is possible, it seems more like a theoretical possibility.
Use a VPN, or use Tor all the time if possible. It’s not paranoia: providers like Comcast have in the past swapped out web content, replacing it with their own notifications and advertisements. Mobile data providers do a lot of meddling to police the applications that are being used; it’s not beyond them to substitute data you’ve requested.
Put some distance, a layer of anonymity between yourself and your internet provider.