uv is generally more secure than pip. It resolves dependencies without executing arbitrary code, verifies package hashes by default, and avoids common risks like typosquatting and code execution during install. It's also faster and more reproducible.

https://chaitalks.tech/uv-a-modern-python-package-manager-in...

https://docs.astral.sh/uv/pip/compatibility/

> security breakdown of uv versus pip versus conda versus whatever fashionable package manager

In the end, every package manager (so far at least) download and runs untrusted (unless you've verified it manually) 3rd party code. Whatever the security difference is between uv and pip implementation-wise is dwarfed compared to if you haven't found a way of handling untrusted 3rd party code yet.