Note you also do not get optional dependencies that you only need in your other projects, which is good for reducing the surface.
I think a frequent practice is to have shell.nix and actually keep track if Nixpkgs updates until something breaks. This still allows you to pick from multiple available stable branches where applicable. And then you get to bisect without messing with your entire system. And of course not everything treats malicious input all the time, so you have an option to finish processing the by-now-known-non-malicious-although-garbage data before debugging the update.