IMO the only way we can have a chance against backdoors like #xz is to start taking least privilege seriously. It’s insane that a compression library should ever have root privs. That ultimately means being able to control privilege at a finer grain than an OS process.
You can't fight overwhelming complexity with more complexity.