T1: I think centralizing dependencies is pretty important
T2: Using poetry (option 2) seems like the way to go, especially since we can separate development dependencies from production dependencies. We could put “held back” dependencies like pylint into the development dependencies.
T3: I think that using a single constraints file for all the docker images makes sense, but like @tkonolige says, it does seem like a large burden to place on people updating docker images. And then if you want to change a dependency for a normal PR, you need to rebuild the CI-docker images, which again places a large burden on the people updating the docker images.