The xz backdoor had nothing to do with SSH (protocol) or OpenSSH. A Debian version of OpenSSH became potentially vulnerable because of a package maintainer decision to patch OpenSSH.

One could make an argument that no one should be using packages from (Debian) package maintainers. The origin of the xz backdoor in relation to SSH was a Debian package maintainer patching OpenSSH in an effort to support systemd.

Recall Debian's OpenSSL patch:

https://freedom-to-tinker.com/2013/09/20/software-transparen...

FWIW, the xz backdoor had zero potential effect on people using OpenSSH compiled from source without patches. (I do this b/c I prefer static binaries and dislike package managers.) The worst potential risk of the xz backdoor, IMO, was libarchive's use of xz project. After the backdoor was announced, I re-compiled libarchive without xz support:

   configure --without-lzma

> after the recent xz backdoor, combined with the fact sshd runs as root, we probably shouldn't use SSH for everything

Independent sshd implementations with the potential of having neither issue do exist [1]

And many httpd's run as root as an easy way to bind to :80. Not strictly necessary either.

[1] https://docs.gitlab.com/ee/administration/operations/gitlab_...

These are problems with the server implementation though and not with the SSH protocol itself; you could design a SSH server software that does not run as root (if you do not need the capabilities that are available when it does run as root; for example, if you only want to allow SSH to one user account then it can run with that user account).