The big issue here that needs verification and/or fixing is that when a direct dependency is marked scope == provided, the transitive dependencies below that provided-scope dependency still need to be resolved for the purposes of testing.
For example, assume I'm developing an extension for Maven and I declare a direct dependency on maven-core with scope == provided. My real interest in maven-core is DefaultMaven, to be used to spawn separate, second-level builds (I know, there are many many other reasons this might not work, but just go with it). In this case, maven-core has a dependency on maven-project which is critical.
DefaultMaven depends on DefaultMavenProjectBuilder to read POMs and return MavenProject instances. If I create unit tests that attempt to execute my extension class, those unit tests will require the maven-project artifact (along with many others) to be present before a valid runtime environment for the unit test can be created. If maven-project is excluded from dependency resolution, the unit test will fail with a NoClassDefFoundError.
The place where a problem could arise in all of this is when/if my direct dependency with provided scope itself declares a dependency with scope == provided. Surefire most likely cannot create a valid runtime environment in this case unless it traverses every provided- and non-provided-scope dependency. Since the code makes the assumption that those provided-scope dependencies will be present at runtime, the calculation for creating that runtime environment for the purposes of unit testing may become very difficult.