This was the point where I started pushing back on PEP 543, despite being initially in favour, because it’s a simple requirement with incredibly complicated implications. I assume it’s easier to do on macOS though, so the authors decided it was a fine requirement to have.
If it gets resurrected, I’ll have to continue to oppose it on these grounds until that requirement is replaced with something higher level. Otherwise, we end up with churn but still have to bundle OpenSSL on Windows even for basic requests (and users probably still have to manually inject configuration that the OS already knows but OpenSSL doesn’t handle properly).