XZ is a slog to compress and decompress but compresses a bit smaller than zstd.
zstd is quite quick to compress, very quick to decompress, scales to many cores (vanilla xz is single-core only) and scales a lot further in the quicker end of the compression speed <-> file size trade-off spectrum while using the same format.
Those packages themselves depend on xz. Pretty much all of them.
What you're suggesting would only make the xz executable not be backdoored anymore but any other application using liblzma would still be as vulnerable as before. That's actually the only currently known attack vector; inject malicious code into SSHD via liblzma.
The settings layout is a big step up but I'm not such a great fan of the theme changes. The new "Royal Blue" theme has lost quite a bit of contrast.
That works for leaf packages but not for core node packages. Every package depends on xz in some way; it's in the stdenv aswell as bootstrap.
That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.
This blog post misses entirely that this has nothing to do with the unstable channel. It just happened to only affect unstable this time because it gets updates first. If we had found out about the xz backdoor two months later (totally possible; we were really lucky this time), this would have affected a stable channel in exactly the same way. (It'd be slightly worse actually because that'd be a potentially breaking change too but I digress.)
I see two way to "fix" this:
It was not vulnerable to this particular attack because the attack didn't specifically target Nixpkgs. It could have very well done so if they had wanted to.
This has nothing to do with "unstable" or the specific channel. It could have happened on the stable channel too; depending on the timing.
AFAIK, affected versions never made it to stable as there was no reason to backport it.
xz is necessarily in the stdenv. Patching it means rebuilding the world, no matter what you optimise.
Which windows exactly? The apps you're typing things into might be spying on you.
M$ and their 738 parters really value your privacy, so if you're typing things into Excel...
What applications were running on your computer while you did this? Any of them could be recording clipboard history; it requires no special privilege.
Heck, I wouldn't be surprised if Windows itself was recording this and sent it to daddy M$ to train LLMs and maybe sell it as a little multi-billion side hustle.
Maybe Google knows something you don't? JK.
A more plausible explanation is that Google knows that you're in the Fediverse (ever Googled it?) which has a far above average concentration of queer people.
What is also plausible is that someone living with you (i.e. your family) or a friend is trans and you're obviously associated with them.
Google doesn't recommend queer content because they think you're queer but because it's what their data-defined statistical algorithms (""AI"") predicts you are likely to be interested in and therefore watch ads for. If you know a queer person or are often in contact with them, you are simply quite a bit more likely to be interested in queer people than the average and therefore more likely to click on queer content.
Youtube itself? Near impossible.
Other applications? Possible but likelihood unknown.
Again, Youtube itself directly isn't doing anything like this. If that album is related to what you were listening to on YT or is even simply also popular with people who listed to the same things on YT as you do or are just generally similar to your person; that's all it takes for YT to attempt to show it to you.
Also note again that any application on your Windows or Linux PC can read the window titles of any other application or even simply scan your media library or other files.
Discord does this for instance for their rich presence function for instance and I would again not be surprised if there was a little multi-billion side-hustle going on.
If you're not reliant on YT's recommendations, I'd recommend you to download the songs you want to listen to and listen to them on a local player.