Issue 30154 that I've marked as a duplicate demonstrates this problem without using shell=True.  The solution I proposed handles that via the additional small timeout on the cleanup side, but still has the caveat that the grandchild processes keep running unless the caller used start_new_session=True.

See the PR.

We cannot reasonably determine when start_new_session=True should be a default behavior.  And I worry that doing it when it should not be will cause unexpected new problems with existing code.
