The backdoor targets OpenSSH. The reason it's added to xz is that because of a complex dependency chain, it ends up being compiled to build OpenSSH. As far as I can tell, the payload doesn't get deployed into anything else.
It's worrisome for sure.. the original maintainer mentions longterm mental health issues, "but also due to some other things"
My worry would be "other things" they didn't mention can include deliberate acts of sabotage by said unknown agency. Devs can have health issues or other problems come up with themself or family in their personal lives, but also intelligence agents can tamper with people covertly in different ways such as deliberately causing various kind of accidents or contaminations/poisonings.
In any case; they could only have to disrupt the developer's life for a few months to persuade them that they need to step down to put one of their confederates at the head of the project, I begin to worry for All developers' safety now if you are the sole maintainer of a key project critical system daemons may link against.
Doubt the target is archiving software itself - presumably the reason these libraries got picked is because they already have high penetration across many layers of the stack which would ensure the backdoor has wide coverage.
Dunno, seems too amateur. An intelligence agency should be able to come up with more plausible sockpuppet names and email addresses even if in this case it didn't matter.