Every role can have its own permission settings. You can set all permission types up to a document level.
You can read more about how to create a role.
You can read more about Vault and custom permissions.
You can read more about the warning triangle that indicates deviating permissions.