ECDSA is much more dangerous to implement than Ed25519
If you're concerned about NSA backdoors, don't use v3 (which only uses NIST-approved algorithms). Use v4 instead.
At the bottom, it states
If you want smaller tokens or better performance than P-384, make sure Ed25519 lands in FIPS 186-5 and use v4.public instead.
Ed25519 did land in FIPS 186-5 and therefore v4.public. features only NIST-approved algorithms. Since v3 exists only for NIST-dependant applications, it is now redundant.
In https://github.com/paseto-standard/paseto-spec/blob/master/docs/Rationale-V3-V4.md there are numerous claims that Ed25519 should be preferred over P-384.
At the bottom, it states
Ed25519 did land in FIPS 186-5 and therefore
v4.public.
features only NIST-approved algorithms. Since v3 exists only for NIST-dependant applications, it is now redundant.