I think you shouldn't combine pip and another method of managing Python packages. That's not only related to certbot, but in general.
That is fair guidance but is not always possible. As far as I can I use Python Envs so that different applications don't conflict. It is unfortunately always certbot that breaks production and the other software not. I'd therefore try and make Certbot from Epel more robust. If certbot on Centos 7 could for instance work with a newer version of requests than having only 'requests==2.6.0' that would already help. I don't follow that logic. It should be requests equal or greater than 2.6.0 as certbot is working on Centos 8 with a higher release than 2.6.
neither snap nor making the debian package maintainers "aware" is really an option now, is it ?
Howcome snap isn't an option?
inviting and installing some container-like sandbox just for something like certbot seems excessive and not very efficient. There are also security concerns and it uses proprietary software (server side) to provide the packages - thats one of the reasons why Mint kicked it out altogether.