A RNG need not be long latency, depending on the requirements. Requirements for cryptography vs. a Monte-carlo simulation are different. For cryptography you ideally want a generator that can’t be predicted, even knowing the last N numbers produced. If this takes 300 cycles to get a result, so be it, you aren’t asking for than many random numbers. A Monte-carlo simulation, on the other hand, can accept less random results but likes them fast.
A hardware LFSR based generator should be faster than an adder, but is completely unsuitable for cryptography, far too predictable. A software based LFSR in the same code using the numbers I’d estimate running 1 vector of results/cycle on the mill.
Reading from a bank of asynchronous oscillators is fairly fast and pretty good if the sampling is slow compared to the oscillator rate. But this takes power to run the hardware. So high power consumption, slow sampling, or weak randoms. If combined with another independent method you can get top grade randoms.