AFAIK, the xz vulnerability was designed for Debian based on its workaround fixing systemd service status detection. Even if it shipped to something like Arch, the malicious code wouldn’t load.