This applies to the separation of notebook code and Observable UI.
And I’d like to add a caveat: Within the context of a notebook, you’re only as secure as the code that you import. At any point some notebook in your import chain could alter its code to, e.g., track storage or keydown events. And even if you pin all your direct imports, any transitive imports will still include the latest version (unless they are also pinned, which is rare).
As far as I’m aware, @mbostock has been wanting to implement automatic version pinning (similar to npm/yarn lock files) for quite some time, but there is no concrete roadmap or date yet.