Allow more valid `pip` sources

[maxrake]

Overview

It has been observed that users with their primary/active python3/pip binary located in ~/.local are not able to perform lockfile generation on pip manifest files. This is a valid location for pip to exist and should be supported. Updates to sandbox exceptions are likely needed.

Additional Guidance

A workaround exists to bypass the sandbox with the --skip-sandbox option. However, this is not recommended unless the fully resolved set of dependencies are already known and trusted since arbitrary code execution is possible without the sandbox.

Acceptance Criteria

• [x] Lockfile generation for pip manifests succeeds when the primary pip binary is located in ~/.local and no other instances of pip exist
• [x] The pip extension sandbox permissions are updated to match
• [ ] Documentation is updated so that users experiencing this error will get more background and/or actionable next steps when visiting the suggested link

[louislang]

@phylum-dev/user-components This should be treated as critical. It's blocking a customer, we need to unblock them asap!

[cd-work]

For personal reference:

$ pip3 --version
pip 23.3.2 from /home/ubuntu/.local/lib/python3.8/site-packages/pip (python 3.8)
$ python3 -m pip --version
pip 23.3.2 from /home/ubuntu/.local/lib/python3.8/site-packages/pip (python 3.8)