Others have now found evidence of malicious commits other than the build change that can impact SSH login. See: Yellow Flag: "The original xz maintainer started fixing the iss…" - Infosec Exchange
TL;DR: The commit git.tukaani.org - xz.git/commitdiff hid a . before the definition of a sandbox function, disabling Linux landlock. The long-time maintainer of xz reverted it today.
To me, this means that the first vulnerability that’s become so public was not their sole goal, and even if the build-time issue doesn’t apply, others may. That commit would be in the 5.6 and 5.6.1 releases as well.