I'm way more worried about how a compromised xz-utils made it past the package maintainer and into the Debian repos. Mitigating supply chain attack vectors like this seem like the bigger priority by far and low hanging fruit. I don't follow Debian leadership but haven't come across any reaction or policy change to address this from them?