Real exploiters go bug hunting for zero days. The XZ thing was a humorous clown dancing a jig in a minefield. The clown spent 5 years on the sideline, then stepped on a mine immediately upon entry.
I like your last statement.
I agree that users should take responsibility for their system, I myself learned to fully encrypt my Linux with luks2 and things about secure boot, tpm2 or so.
That’s why I’m making assumption of the need for non-tech savvy users, like most Windows users if they come to Linux world.
Exact issue like them:
exactly like this
https://bbs.archlinux.org/viewtopic.php?pid=2164410#p2164410
https://bbs.archlinux.org/viewtopic.php?pid=2166299#p2166299