What I am trying to say is: it doesn't have to be any specific dependency, it can be any dependency that somehow loads liblzma. It can be a tiny mostly insignificant direct dependency if you want, it doesn't matter, it just needs to somehow be loaded into the address space.
But if such things are avoided across the board as policy, exactly to attain the result of reducing that attack surface, then there are few such possible examples, and so you can't just say "it could be anything" you have to show that there is actually much pool of "anything".
What's an equivalent example that could actually happen in openbsd?
