I'm not sure if my use case is one dependabot is suited for, so hoping someone can tell me if it is or is not, and if it is, point me to some documentation on how to do what I'm describing:

I want to create workflow that:

1. runs dependabot scan on each developer pull request
2. dependabot only reports on newly introduced or updated dependencies
3. pull request is blocked by any new dependencies with vulnerabilities of medium or higher
4. dependabot does not create PR as a result of a PR scan

Is this possible?

This is possible with the dependency review action: https://github.com/actions/dependency-review-action

Seems the answer is no, dependabot cannot do this.

A colleague found this information:

"Dependabot alerts will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date."

At this location:

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review

And github has, on their roadmap, the ability to block pull requests that introduce vulnerable dependencies:

https://github.com/github/roadmap/issues/149