I'm reading the docs, and I see access controls for restricting access to Data Access audit logs, but not for Admin Activity or System Event audit logs.
roles/logging.viewer (Logs Viewer) gives you read-only access to all features of Logging, except Access Transparency logs and Data Access audit logs.
Is it possible to further restrict this to disallow ALL audit log access to users while preserving access to all other (non audit) logs?
Turns out that this level of granularity is not currently possible as confirmed by the IAM team.