It's a heck if a lot better than a random smattering of shared libraries getting pulled into a random high-priviledge context which also inherits some other context from whoever is asking for authentication. Polkit gets a lot of flack but PAM is absolutely mad.

If the lesson of xz was "reduce supply chain attack surface" then the freedesktop people clearly haven't received it yet.

Fedora has used PolKit for 12 years now, and the javascript rules have probably been a thing for about as long.

Doctors recommended cigarettes for decades. What should give everyone similar pause is xz was found unintentionally.