You are correct. This is in the Admin guide if you search for "delegated admin". Here's a snippet:
"Note that system administrators may only manage user roles, realms, and resource policies; only security administrators can manage administrator components."
By creating a delegated admin you will not be able to see/modify administrator components such as ".Administrators" & ".readOnlyAdministrators".