I'm not a project member, but speaking as a adeveloper for other projects, I would observe that:
composer.json is the base for the 'composer update' command (it looks for desired packages and grabs the newest allowed version, then modifying the composer.lock accordingly -> which is probably why you see it as modified after install)
composer.lock is the base for the 'composer install' command (it grabs the packages with the specific version from the lock file, unless the json lists removed or added packages). Basically the lock servers to, well, 'lock' the versions for delivery (whoever gets it can be sure they are using the same versions as last tested). It doesn't make sense to put the lock in the .gitignore (especially since the gitignore will be then grabbed by others). Personally I am a user and if I pull from the repo, I'd prefer to install from the lock rather than risk an update.
If you want to ensure that you won't accidentally commit an unwanted modified lock, you can add it in the .git/info/exclude inside the repository folder. It kindof acts as a .gitignore but with local effects.
Best regards,
Andrei