This is definitely something I'm curious about as well. Rest assured, it won't cause any harm. Realistically, you should generate your composer.lock with composer on a testing server, then copy it to your production server.
It's posible when they say "your applications version control" they assume you are the only one using that application's repository.
