What happens if I accidentally run composer update on a remote machine?

It updates packages to the latest versions allowed by your constraints, and generates a composer.lock file that differs from the one in version control. Your production environment may then be running package versions that you haven't tested.

In principle, that shouldn't cause issues if the version constraints in composer.json are sensible, meaning they don't allow updates between major versions (e.g. 5.x.x to 6.x.x). Only major versions are supposed to include backward-incompatible changes. But that's the theory. In practice you should always test the code you're about to deploy.

So, in a nutshell, is it composer update on a local machine, then push and composer install on a production machine?

That's the basic idea. If you used a CI/CD pipeline, the packages would be installed in the build environment and then pushed to the production server(s). In a simpler setup, you would run composer install as part of your deployment process on the production server.