pip modules are not subject to review. It is indeed possible that backdoors might be introduced via them.
This itself is not possible IF you trust the developer.
1) PIP is using https. This already elminates some attack vectors (e.g. MITM).
2) PIP is using checksums (MD5 i believe) provided by the author (in this case ThomasV) to be sure it has not been tampered with.
This is not necessarily safe since MD5 is quite broken. But it at least is SOME security.
However, downloading it manually and checking the signature is more secure and eliminates any risk of maliciously replaced packages (this still requires that you trust the developer).