As always when this is posted: this is quite overstated. If you're only using .xz on something already protected by a sha2sum or something, and you trust the source, almost all of this is immediately invalidated (and the rest is "whatever, good enough").

Now, "trust the source" does have a hole that most people might not think about - are you sure the archive you just created corresponds to the files you tried to add? Doing extraction comparison tests should be mandatory ... but the same applies to all other archive formats, and very few tools automate the check in a way that also generates the hash.