Zero-installs mode does not replace the lockfile. Your lockfile is still the source of truth regarding integrity hashes.

However, it’s an extra line of defence against

1) your registry being down (preventing you from pushing a security hotfix when you find out another package compromised your product),

2) package unpublishing attacks (your install step fails or asks you to pick a replacement version, what do you do at 5pm on a Friday?), and

3) possibly (but haven’t looked in depth) lockfile poisoning attacks, by making them more complicated.

Also, it makes the size of your dependency graph (or changes therein) much more tangible and obvious, compared to some lines in a lockfile.

Exactly. Yarn uses a yarn.lock file with the sha256 hashes of each npm package it downloads from the repo (they are .tgz files). If the hash won't match, install fails. No need to commit the dependencies into your git.