While others are saying “no one cares about your personal photos” personal info is not the target of backdoor attacks like this. It’s more likely an attempt to get access to lots of processing power for a crypto mine or botnet.
It’s best practice to have the minimum packages required to run whatever service you are running, don’t add other stuff that you won’t be using. Using a distro that is “outdated” like Debian stable can help since the packages have had more time out in the wild to be tested.
I am sure that the xz incident has raised a lot of alarms across many projects.