The first step is to separate system tools from userland tools. For example if system tools depend on python then they should be using their own isolate python and not the one that gets run when a user types 'python' on the command line. This way you can upgrade /usr/bin/python to 3.12 while /sbin/python (or whatever) can be locked at 3.8 to make sure important OS tools don't break. /sbin/python is not in the path of any user and only gets upgraded as part os a major OS upgrade.
Or you go the functional package management route and strip out these global paths entirely. nix and guix do this. Every package that needs python is built against a specific version of python (where a "version" is defined by its source code, compiler flags, toolchain versions, bootstrap toolchain versions, etc.; basically anything that can make the build result behave differently) and will only ever use that. Different packages can use different python versions. A system configuration can also choose to make a specific version available in the PATH, but it doesn't have to. A user environment can do the same, as can a project specific environment. All in one package management system.
