If sodium extension needs to be enabled, it should be required in composer.json

So I'm confused as to whether the extension needs to be enabled or not. If it does need to be enabled, the extension should be required in composer.json to warn the user that they don't yet meet the requirements.

Upon further investigation, it is required, so that requirement should be marked in the module's composer.json.

Yes, it sounds like a good idea to add the extension dependency.
Some reasoning below.

The current composer version declares a dependency on php 7.2 and halite library.

  "require": {
    "php": ">=7.2",
    "drupal/key": "^1.0",
    "drupal/encrypt": "^3.0",
    "paragonie/halite": "^4.1 || ^5.0"
  }

Then, halite declares on its composer file a dependency on paragonie/sodium_compat: ^1.17, which suggests ext-sodium for PHP 7.0+.
And yes, that is a suggests and not a requires, which is likely to allow both pre and post php 7 versions to work, since the pre-php7 version is suggesting ext-libsodium instead, which made sense at the time.

Said that, the sodium_requirements() implementation here and the composer file is requiring php 7.2+, so indeed ext-sodium is required.

Hence, adding the requirement to composer makes sense.
Marking as RTBC.

3.x is the target for new development.

Whoops, seems this is only applicable to 2.x.

Adding this will break the tests, and it only applies to installations that have unsupported versions of PHP, so I'll close this now.