on the balance of probabilities, it is probably true.
I would expect NSA to make use of any vulnerabilities they find, because their job is to hack others, not to keep us safe. Unfortunately.
NSA is resposible for so-called SIGINT and SIGSEC, acronyms for signals intelligence, to which you refer, and signals security, which IS to keep our communications safe.
It seems of course that SIGINT is what's "popular" in news.
I work on a web platform team, and I've seen many vulnerability reports over the years (well over 100). I've never seen a report from the NSA or US government. Actually, the only government I've seen reports from are the UK, so credit to them for actually doing something to keep people secure. But most reports I see are from project zero or Chinese companies.
Either the US government doesn't care at all about browser security or they are keeping vulnerabilities for themselves.
No, the US government has taken the position that it’s always best to have a few tricks up your sleeve when the chips are down. It is most certainly intentional stock piling of zero days for strategic advantage.
I would argue that such a clear conflict in these two priorities should necessitate having a bespoke separate governmental organization for SIGSEC, so that the NSA can freely focus on SIGINT.
The SIGINT arm of the NSA has an incentive to take any exploitable vulnerabilities in existing software and keep them secret, so they can use them against their enemies, rather than disclosing them so they can be fixed.
That's how CNO exploitation works. They generally can't report; their adversaries are recording their own networks, and will retrospectively detect intrusions.