This page describes the behavior, "disables the automatic execution of postinstall scripts in dependencies":

https://pnpm.io/supply-chain-security

While this explicitly calls out "postinstall", I'm pretty sure it affects other such lifecycle scripts like preinstall in dependencies.

The --ignore-scripts option will ignore lifecycle scripts in the project itself, not just dependencies. And it will ignore scripts that you have previously allowed (using the "allowBuilds" feature).