Are they actively monitoring? Kaspersky's job is to stop known malware and make some guesses about potential unknown malware. Actively monitoring TLAs sounds like a waste of time/money in that scenario. TLAs will be more interested in specific targets and will likely know what protection they have to work around. If they need a specific solution for a specific person they can spend some time making sure Kaspersky doesn't detect it. (It's not that hard)
Virtually none of their customers will be safer if they did the monitoring. If anything widespread actually gets released, they'll likely know from telemetry.
Exfiltrate what? We're talking about unknown new vulnerabilities. They'd have to: 1. Find out which computer they're interested in. 2. Find out which files they're interested in. 3. Somehow figure out when they're not in a sandboxed, monitored lab. 4. Exfiltrate via public network.
Without testing ground and inside knowledge that doesn't sound easy considering any detection would cause... what we have now.
A normal office near which I worked had a malware lab with isolated and logged networking, actual green/red painted sides of the room, dedicated fancy storage, etc. They would know if anything's being uploaded by the AV. NSA likely has a much tighter setup.
And again - what's Kaspersky's gain in that situation?
You can exfiltrate whatever you want. By installing Kaspersky you've installed a program with root access that may or may not have a backdoor connection to the FSB. These antivirus applications scan for vulnerabilities and also send back telemetry data as well as hashes and maybe even the code of unknown executables.
Virtually none of their customers will be safer if they did the monitoring. If anything widespread actually gets released, they'll likely know from telemetry.