This should include stuff like readFile where the argument is a derivation. We should have separate checks for import from derivation and using callPackage on a derivation, since those are the preferred mechanisms if we do turn out to want eval-time building.