I should write an article on that.

Basically, you are in two possible situations:

- you don't have a minimal image, and then system tools will be written in Python. Pip installing will either overwrite their deps (if not using --user), or they will super impose theirs (if you use --user, you are implicitly using existing system deps). In one case updating deps breaks the image, in the other one updating the image break your deps.

- you have a minimal image, in which case you have to setup Python in it, and then fight for the entire project life to make sure any update never ever brings in a Python tool in the system or you are back to situation one.

This is a lot of work, hard to get right, difficult to diagnose when it goes wrong, and completely unnecessary since you can just use a venv in one command and call it a day.

Not to mention it's my experience most people are not knowledgeable enough with the python ecosystem to make any of those decisions in the first place (they barely know --user, -m etc).

Bottom line, "Relieving your packaging pain" (https://www.bitecode.dev/p/relieving-your-python-packaging-pain) is very relevant in a container.