"Almost universal" is a bit of a stretch, most of the time these days Python apps are deployed as Docker containers, and if you're using k8s this becomes effectively mandatory.

However a lot of the time especially for older codebases the docker build will just run pip install from public pypi without a proper lockfile.

So at least install code isn't being executed on your production machine, but still significant surface area for supply chain attacks