Bedrock uses a modified folder structure but WP core is completely intact. We just disable auto-updates since you update WP itself through Composer. Even if you enabled auto-update I don’t think it would break anything. The update just wouldn’t be reflected in your Git repository since it only happened on the production server.
Do you mean plugins/themes that aren’t in WP plugin directory? Composer can pull from WPackagist, normal Packagist, any custom Git/SVN repository, zip file, etc. I suggest searching this forum for other Composer topics like Best way to install private/paid plugins with Composer?.
There’s this post as well: http://roots.io/wordpress-plugins-with-composer/