For websites selling goods for bitcoin it is a common practice to use xPub to derive a new address for each customer. This has two benefits 1) using a fresh address protects the merchants privacy as tracking the funds is harder and 2) handling orders becomes much easier as each individual order has the bitcoin address as a unique identifier.
It is true that even if the xPub gets leaked, the hacker wont be able to use any of the funds. But he will be able to see past and future generated addresses and can monitor any and all traffic in the wallet.
If the website gets hacked there are ways for the hacker to steal bitcoin intended for the merchant. For example the hacker might change the website’s xPub to his own, so all of the future transactions end up in the hackers wallet instead of the merchants. What the book is pointing out is that in a case of a hack, using the xPub it is impossible to steal any bitcoins that were sent before the hack.