An Echo may not be what you think it is
I am not as familiar with the Google product as the Amazon, but all of the Amazon Echo products turn on their ring light whenever they are talking OR listening. That light cannot be turned off by the skill application. In addition, the skills do NOT have access to the raw audio, they only have access to the text transcription.
Also, if the Echo is "talking" it is only listening for its wake word. So you can preempt a voice prompt by saying "Alexa" to take it back to the top of the menu tree, but if you haven't said the wake word the skill only gets the transcription of what was said after "it" stopped "talking", and then only for a maximum of 30 seconds. The skill app can respond with a voice prompt and get a second 30 second chuck of transcription (the "are you still there, please tell me what to do" prompt) but after that the user has to reinvoke the skill.
That said, I have several of the devices and use them daily. Whenever someone publishes an article about them being "hacked" I read and research it. To date, nobody has published a true remote hack of the system -- including this last one by SR Labs.
In this case, their technique for extending the voice prompt does not gain them access to what is being spoken in the room at the time. Does it expose a weakness in the system -- Yes, because they are creating a "denial of service" situation -- but they are not creating a surreptitious remote audio monitor.
The echo is hard to "hack" because it doesn't execute any third party code. When you enable a skill you are downloading absolutely nothing to the echo, and you aren't changing a single bit or byte of its configuration. All you are doing is telling Amazon's cloud servers to allow add that skill's name to the rules that pre-process the text stream. The echo itself is a rather stupid device. Think of it as a limited functionality web browser that doesn't even have javascript and is limited to a single web site. You might be able to hack the cloud server, but you aren't going to have much luck hacking the end-user clients.
If a user can be tricked into installing an application, then it doesn't matter what the platform is be it a pc, phone, or digital assistant. The Echo does have a great microphone array, but is severely limited in processing power and storage. That's why you don't even get to create your own wake word -- they are hardcoded in the firmware and silicon is optimized for the hardcoded list.
Your cell phone is a significantly more appealing target to a hacker. Just like the Echo it has a microphone and internet connection, but unlike the echo it has significantly more storage and cpu processing power, has a much larger attack surface, and it is always with you instead of sitting next to you bed or on the kitchen counter.
Amazon may be able to send new firmware to an echo to turn it into a bug (say, at the "request" of a government) and that may be a legitimate concern, but the same can be said for just about any other connected or smart device. Anything more is a tinfoil hat situation.