I think it’s worth the effort since it prevents numerous risks at the root, for sure it’s not enough. I agree that bootstrapping wouldn’t necessarily solve the XZ attack, but I think that should be solved by big tech paying FOSS maintainers enough or at all to prevent them from burning out.

About the BSD experience that looks like a big amount of work but definitely worth it, I’m sure they didn’t ship many packages as Guix ships but I guess the projects have different goals and requirements.