Arch has already updated XZ by relying on the source code repository itself instead of the tarballs that did have the manipulations in them.
It’s not ideal since we still rely on a potentially *otherwise* compromised piece of code still but it’s a quick and effective workaround without massive technical trouble for the issue at hand.
Until you use software that without up front notice Ubuntu decides to move from APT to Snap without a migration process in place for your settings or credentials. Like has happened with Telegram and with Chromium. And then stuff breaks in ways where you as a noobie would have no idea how to fix.
This is exactly what happened with the Ubuntu setup on my parents’ laptop and I’ve since moved everything over to Linux Mint for them so they don’t have to deal with that anymore.