If you run composer vendor-expose copy on your local environment (where I assume you do have composer), does that create the real files in the right place for your production environment?
If so, then you should be able to keep everything in sync / updated with composer and still deploy with SFTP or similar. Maybe 
(if it works, then you should be able to add SS_VENDOR_METHOD=copy in your .env so it copies by default)