This already says "# Disable version updates for pip dependencies"

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit

This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.

I think the security category is how this is leaking through.

• https://github.com/googleapis/java-storage-nio/blob/main/.github/dependabot.yml#L14

Releases notes for the dependency list security in what was fixed.

• build(deps): bump requests from 2.27.1 to 2.31.0 in /.kokoro java-storage-nio#1180

Cryptography probably implicitly gets categorized as security

• build(deps): bump cryptography from 39.0.1 to 41.0.0 in /.kokoro java-storage-nio#1188

Yes.