Yes, in fact pip shouldn’t import anything post install, as a module could use a stdlib name.
This thread did make me think, rather than disabling lazy importing, I wonder if we can actively enforce no importing. Directly after the installation step break the ability for imports to work. This would solve potential security issue in any context then, not just lazy vs non lazy situations.
I’ll look at raising an issue and do some preliminary work when I have a moment.