It means the libraries are only loaded when they are needed, so if you never use the (e.g.) xz compression feature, the xz library will not be loaded, and a backdoor added in the xz library simply can't trigger.

(Another side note is this may change the initialization order of libraries--so the initialization functions of an xz library don't run until xz is first used, and this may fail to let you intercept the ssh routines in time.)

> this may fail to let you intercept the ssh routines in time

It only makes it harder since you can always patch the code of the entire process at runtime (remapping things writable as needed).

I won't pretend I understand it all, but apart from linking only when needed, some explanations have come out how it would have prevented this exploit path.

From https://research.swtch.com/xz-script

> The effect of the scripts is to arrange for the nefarious object file’s _get_cpuid function to be called as part of a GNU indirect function (ifunc) resolver. In general these resolvers can be called lazily at any time during program execution, but for security reasons it has become popular to call all of them during dynamic linking (very early in program startup) and then map the global offset table (GOT) and procedure linkage table (PLT) read-only, to keep buffer overflows and the like from being able to edit it. But a nefarious ifunc resolver would run early enough to be able to edit those tables, and that’s exactly what the backdoor introduced.

This early execution would not be possible if liblzma was dlopened later.