Yeah, my suggestion is to just install an audit hook for an import event that raises an exception. I think it should be as simple as:
import sys
def hook(name, args):
if name == "import":
module_name = args[0].split(".")[0]
if module_name not in sys.builtin_module_names:
raise RuntimeError("For security reasons, pip doesn't allow imports at this point")
sys.addaudithook(hook)
That should cover both function-body imports and PEP 810 lazy imports without the need for a global filter.