Supply chain attacks also show one reason that using older software like Debian stable may be a better plan for things that matter. All new software versions need some time to be tested and vetted.
It also shows the importance of security in depth. That less is more in terms of code dependencies and complexity. That knowing dependencies is as important as knowing your code.
I would consider the xz incident to be a success. The supply chain attack was found pretty rapidly. We have already seen many of these and we will see more. Ones I remember off the top of my head include Linux Kernel, NodeJS, Python PyPI.
I would not over blow this. Security is an ongoing activity and all security is porous.
Pretty much any IMAP mail provider combined with Nextcloud for sync will work.
Keep in mind too that Proton Mail has a commercial offering that should work with thunderbird. I have no experience with it.
We use our ISPs mail with our Nextcloud instance but long run will probably move to domain mail with maybe Fastmail for the mail component. Not sure yet. I will be interested in what you find.