> What happens when you vendor/patch/fork a dependency?

You change the supplier property (and most probably the version). This is how you distinguish between OpenSSL 3.1.4 from OpenSSL project and OpenSSL 3.5.4-1~deb13u1 from Debian project.

> What happens to vulnerabilities that are not in code paths not used by your software, or only under certain flags?

You record this information in the SBOM, using structures like "this software has this vulnerability reported, but it's not affected by it in this case" (see, for example, VexNotAffectedVulnAssessmentRelationship in SPDXv3).

I completely agree that its purpose is not to replace lockfiles.