I don't know how the assumption came up that F40 is only affected if users opted in for testing, but that interpretation already ended up in the Fedora Magazine and in the official linkedin post of Fedora (I already asked to correct it).
I believe that statement is correct, since none of the xz-5.6.x packages ever made it to F40 stable. The furthest they've got was updates-testing, which is not enabled in the official Beta releases.
The updates-testing repo isn't used in the Beta compose but it is enabled by default so if someone took the beta and then applied updates they would have automatically got the compromised package, there's nuance there.
However, if you installed F40 before Beta was released, then updates-testing is enabled and users may have installed the vulnerable package with a simple `sudo dnf upgrade`.
The same would be the case if they installed Beta.