Incorrect.

Random sysadmins who have access to your server have the permissions to steal whatever is communicated between third parties unrelated to this sysadmin.

Just because some random outsourced nightshift dude has the permissions to do "sudo systemctl restart" shouldn't mean he gets to read all the secret credentials the service uses.

As it is now, the dude has full unfettered access to all credentials of all services on that machine.