This is controversial, I know, but I think it's worthwhile.

With this patch applied, run the tests like so:

 $ docker-compose exec -e STUPIDLY_HOBBLE_SECURITY=I_AM_AN_IDIOT_YES_I_REALLY_MEAN_IT web python manage.py test
Found 31 test(s).
Creating test database for alias 'default'...
System check identified no issues (0 silenced).
...............................
----------------------------------------------------------------------
Ran 31 tests in 39.027s

OK

That should be obvious enough that nobody's going to do it by accident. One thing I'm not sure about is if there's a better place to put the NoSecurityHash class so that it can be passed in to the CareRecipientForm, so that we could only have the thing that breaks the security where the tests are, not in code that gets loaded at runtime.