Also, I don't think we should get hung up too much on the libsystemd
thing. I know people like to hit on systemd,

I know, and one of the problems that results from having just a torrent of undeserved criticism is that it naturally predisposes the maintainers to reflexively disregard all criticism.  To be clear: I *like* systemd.  One of the things I like about it is that while the project is fairly large, the individual functions/services are modular and mostly independent of each other.  But that isn't really true of libsystemd.  I understand that there are some dependencies between different components of libsystemd, but sd-daemon doesn't seem to have any dependencies on sd-journal, for example.

but the attacker could
have used various other vehicle libs for their goal, too. I mean, sshd
uses PAM, and that pull in variety of things through its modules

PAM modules aren't a problem for the same reason that the compression libraries aren't a problem now that they're dlopen()ed.