State-sponsored attackers have access to much better resources. I do wonder how they determine who gets these things; do they look for keywords in your email, or do they monitor where login attempts are happening, or do they look at phishing messages that arrive at your account?
State-sponsored attackers also likely choose different targets. I'm not afraid to be a victim of such attack, but if I worked eg. as a diplomat, or as a defence contractor, or any government agency, I might actually be worried. There were some examples of attacks lately that targeted US government officials. So I guess Google shows this warning primarily to people who might be probable targets of state-sponsored attacks in the first place.
