Restricting to system full access in user admin of a tenant user

I have a multitenant application where created a user within the tenant environment using my tenant-level admin role. This user has access to create roles and users. However, I am surprised to discover that this user has full access to all the roles including “system full access” which is supposed to be beyond the access of this user as this user doesn’t have access to that level. Is this the design and how it works or there is something seriously missing that is causing this serious security admin issue?

FYI, I created my application originally in the older version of the platform and later migrated to platform v 7.x when it evolved over years.