Updating single packages is very much possible, see https://getcomposer.org/doc/03-cli.md#update - as for semver promises, that's really up to you and which packages you decide to trust, nothing the tool can do about it.
Note I said "deal with", it's not update, I learned long ago never to touch composer update. I think it is require that does this. Or that install doesn't have a single package argument? Whatever. I am not alone in finding the only way to actually use composer is to nail down every single package to a single version. Do note I didn't write https://github.com/webflo/drupal-core-strict which is just that https://github.com/webflo/drupal-core-strict/blob/8.5.4/comp...
As for trust, noone in the PHP world! Absolutely noone! I got into a debate with Rasmus about the meaning of backwards compatibility around the time PHP 5.4 began to throw additional warnings (not a new class of errors which could be additionally displayed, no) on code that previously worked. Drupal 8.4 released with a known bug that caused some code to merrily lose files uploaded by users because of a BC break. If you want BC, look at the kernel Linux API and even the ABI.
As for trust, noone in the PHP world! Absolutely noone! I got into a debate with Rasmus about the meaning of backwards compatibility around the time PHP 5.4 began to throw additional warnings (not a new class of errors which could be additionally displayed, no) on code that previously worked. Drupal 8.4 released with a known bug that caused some code to merrily lose files uploaded by users because of a BC break. If you want BC, look at the kernel Linux API and even the ABI.