Isn’t it a way to allow access to one website of the network while dislowing to the others ? Like with a category or page ?

and from main admin.

because if I understand well,

I can create all roles from main admin, then sync network
Can allow on a sub site level from role capabilities,

But then if i add a role on main website and update, it delete the role on level website right ?