The new (ish) drupal/core-composer-scaffold plugin seems somewhat problematic:
If a developer runs composer update, and there is an update available for composer, this will fail, because it first removes composer. If the developer includes ./vendor/bin in their environment path for cli execution, which seems a relatively sane thing to do, everything falls over at that point.
Is the hard dependency on composer/composer in /vendor/drupal/core-composer-scaffold/composer.json really essential? My prior experience with composer has indicated that it should be installed globally, not as a per-project dependency. Then composer self-update can (and should) be used to update the package manager itself.
Thoughts?