The lockfile does more than just pin the versions of your immediate deps, so one might reset it for some other reason. Or you might want to update individual packages without caring about the specific commands for that, so you edit the package file, delete lockfile, reinstall.
But if I use uv sync and the package I want I don't ever need to toss the whole file right. In rust I'd never sign off on a mr that just randomly updated lots of deps with no reason tied to the issue they were resolving
Not sure. Those lockfiles don't seem really human-readable. I wouldn't approve a change that randomly changes the lockfile without explanation, but I would also want the project file to set the requirements rather than relying on the lockfile, cause that's not the lockfile's job.