You do not, the user is responsible for the operation of their device. Most of the time this should be caught by whatever malicious software detector the user runs. Also, Chrome and Firefox very heavily guard against extensions being installed from outside of the usual way, i.e. by outside programs.

It's not hand-waving; it literally is not the website's responsibility.

Organization executives and lawmakers are increasingly demanding that digital services be made un-hackable. Someone with an attitude and trying to shirk duty by claiming we just have to trust that all of the users will always be responsible and non-abusive all of the time, will at best be laughed and shooed out of the room. More realistically be given a final PIP. Telling your bosses "no I'm not going to do that" is a resume generating event.

Both groups of people who have no direct understanding of how any of this works.

You can demand change all you want but it doesn't change how the real world works. These people need to come off their high horse and come join the rest of us. So sick and tired of C-level people demanding shit they know nothing about.

Why do you, as a website owner, think that it is your responsibility to protect your users from mistyping the name of Python packages they are installing via pip?

At some point you don't. The cure becomes worse than the disease. Maybe if you could give users the option to enable it. But let's be honest, if this ships every bank will require it. Good luck checking your balance on Linux or a rooted Android phone. You will get an approved operating system to keep your cash under your bed.