Like you're suggesting, external data can be seen as a variant of literals embedded in code.

https://www.python.org/dev/peps/pep-0589/

  movie: Movie = {'name': 'Blade Runner',
                  'year': 1982}

It's all possible in theory, but the support in widely used static type checkers is very basic or has bad UX.

On the other hand, this is exactly what you need to write secure code.