If locking dependencies with specific hashes, which I assume security-conscious deployments are doing, then only artifacts matching the hashes would be installed. Does that mitigate the concern?
Not just the behavior of pip list and pip freeze, but what should be stored in the direct_url.json in the first place. I made a comment here with specific related questions.