Using a virtualenv is a bit of a tricky compromise, because it means that while we benefit from security updates in the OS-packaged versions, updates can also break compatibility with the pip installed packages. I'd like to make sure we really spell out this rationale in detail compared to say not using --system-site-packages or using all OS-installed packages on compatible operating systems.
I'm a bit doubtful of the security argument. However, I think the system-site-packages is nonetheless mandatory, so that python-gobject, which is not a native Python module installable from PyPi is accessible to the Virtualenv. It is needed for GStreamer.