As I read this, users who have set PYTHON_LAZY_IMPORTS="enabled" will have explicit security implications when running pip.
Pip has to import it’s modules eagerly so that installing a wheel doesn’t allow the wheel to insert itself into the pip namespace and run arbitrary code as part of the install step, e.g. Import self version check eagerly in install command to fix ACE by calebbrown · Pull Request #13085 · pypa/pip · GitHub .
If this gets accepted it would the advise be to put all it’s imports in a with contextlib.nullcontext block?