It's Thompson's "Trusting Trust"[1], right? To the extent XZ is part of the standard build chain you could have a source-invisible replicating vulnerability that infects everything. And if it gets into the image used for, say, a popular mobile device or IoT gadget...

1: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...