How does a cgroup namespace work?

I’m trying to understand how cgroup namespaces work, but I’m stuck on something that doesn’t make sense to me. My understanding is that a cgroup namespace should virtualize the cgroup hierarchy for a process, so that the process sees its current cgroup as / and doesn’t see the full host hierarchy. So I tried to create a cgroup namespace like this:

sudo unshare --cgroup

cat /proc/self/cgroup
0::/

echo $$
3183

Then, from another terminal on the host, I checked the cgroup for that process:

cat /proc/3183/cgroup 
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-ffe09412-f0d6-413e-b480-6d14f1290f84.scope

This matches what the man page says:

Cgroup namespaces virtualize the view of a process's cgroups (see cgroups(7)) as seen via /proc/[pid]/cgroup and /proc/[pid]/mountinfo.

Each cgroup namespace has its own set of cgroup root directories.
These root directories are the base points for the relative locations displayed in the corresponding records in the /proc/[pid]/cgroup file.

However, when I create a new cgroup inside my cgroup namespace, it appears in the host’s hierarchy too:

# Inside the namespace:
mkdir /sys/fs/cgroup/test

# On the host:
ls /sys/fs/cgroup/
...
test
...

So it seems that the entire host hierarchy is still visible and any new cgroup I make is visible system-wide. There’s no real isolation — from inside the namespace I can still see and modify all the host’s cgroups. I also tried combining it with a user namespace to avoid sudo but the result is the same:

unshare --map-root-user
unshare --cgroup
ls /sys/fs/cgroup/

Again, I see the full host hierarchy. So my questions are: - Am I misunderstanding how cgroup namespaces are supposed to work? - Is the cgroup namespace not designed to isolate the entire hierarchy like mount or PID namespaces do? - Is there a correct way to use them to limit what cgroups are visible or writable? Any clarification would be really appreciated!