In my experience this is only true for C/C++ (with a decent amount of work to setup CROSSTOOL properly). As soon as you start to get into Python, and Python<->C++ interop, it becomes very leaky.
I heard that Google has some tools internally that build the Python interpreter with Bazel and use that in order to guarantee hermeticity, but that doesn't seem to be possible with public tooling (at least not without some major hacks, for example https://github.com/bazelbuild/bazel/issues/4286 )
It would be interesting to see how Google manages languages such as Python at scale (and other languages that have similarly leaky package management).
And not only that, but it's also been doing this for well over a decade now, at a massive, multi-billion LOC multi-petabyte artifact scale at Google. Google would not be able to function without it.
1. https://bazel.build/