Can anyone with more expertise comment on the use of cryptography.hazmat which is apparently (1) a frontend to openssl, (2) "full of land mines, dragons, and dinosaurs with laser guns"?
It's "hazmat" because cryptography is dangerous, and the library authors would strongly recommend you use an opinionated library that does the cryptography for you, like Nacl, where you don't think about which crypto primitives to use, but rather they're all set up for you. Here, they're working with an existing format and have specific requirements; they're doing the thing the "hazmat" library exists to facilitate.