The meaningful difference is that it is a one step to execute code on AND you didn’t expect any code to be executed. Instead of two steps to execute code where you did expect code to be executed.
Users could have a workflow where they first only install wheels and then review the environment, manually or using automated tools, to make sure it matches their expectations.
Of course, once users are expecting to execute third party code there’s nothing that can be 100% guaranteed. But this expectation is not there for installing wheels.
This discussion is getting pretty tiring to justify that a real ACE issue pip had due to non eager imports is a real security implications for a PEP that allows users to force pip’s imports to be non eager. I’m going to disengage for awhile.