Occasionally I run into comments or responses that state emphatically that running
When you run
sudo, you run
sudo. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to
pip and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.