My $0.05 reading of it is that they want to hose down the build servers* and start clean, in case if the attacker escaped the sandboxing there.

* (the computers that compile all of the new packages from source, not web servers that are handing out finished deb binaries to the public.)

Further read: https://discourse.ubuntu.com/t/xz-liblzma-security-update-post-2/43801?u=d0od

Just don't package it. And if you have to, sandbox it in Firejail or in Bubblewrap. Or just make Snap out of it.