FWIW, people making the exact mistake you describe, at scale, is the only hypothesis I ever came up with for the sheer number of downloads from PyPI that pip used to get (and many other things that you wouldn't expect production code to need at runtime, like `setuptools`, still do). You'd think that ordinary users would only ever need to get it from PyPI when they upgrade, which admittedly could happen once per pip version per virtual environment if you didn't know or care how to do it any better. But we're talking about over half a billion downloads per month. It used to be firmly on the top 20 list.

Really, the fact that any package gets that many downloads is crazy to me. (I think the main reason that boto3 ecosystem stuff tops the charts is that they apparently publish new wheels daily.) How many devices run Python? How many of those need, say, Numpy? How many of those really care about being on the latest version all the time, and can't use a cached version? (Granted, another problem here is that you can't readily tell pip "prefer a cached version if anything already cached is usable". Pip doesn't even know what's in its own cache, unless it was built locally; the cache is really only there to power a caching HTTPS proxy, so it stores artifacts keyed by a hash of the original download URL.)