I'd argue if it turns out that after the sale those exploits and implants would get used in USA against US citizens without sanction of USA gov't, then those companies might be found (co)liable for damages in a US court.

Maybe! Look at how long NSO has been around before this suit.

Oh yes, that's definitely a long game - detecting a compromise often takes a long time, attribution is tricky and takes time, and after that court cases will take years, e.g. the ongoing whether-NotPetya-is-act-of-war insurance civil case.