Regarding the #xz backdoor, I've seen statements like "if you're not running a publicly exposed sshd, you're safe". This is not the case and reflects a pretty outdated security mindset. You're still vulnerable, because you shouldn't assume internal connections are inherently trustworthy.

Yes, it limits exposure, but that's not the same - you still have a high-severit incident on your hands. Anyway, just here stating the obvious, as usual. ✌️