Yeah you got it! 
To summarise, that’s right the TRANSFORMER role has read-only to future resources. Having a separate READONLY role that is granted to TRANSFORMER might be a good way to achieve it because a human can have the READONLY role as well to troubleshoot. So it’s just another hop for some more flexibility.
You are right, we have a composite role. We have multiple layers of ADMIN because we don’t want the lower tier ADMIN to have the powerful “manage grants” privilege which would allow it to transfer ownership or resources because we want a human to have this role but we don’t want them transferring things around in the whole Account. Instead the lower tier ADMINs just have grants from the LOADER and TRANSFORMER which own all the tables/views/schemas they create + the READONLY. This should be plenty for a human admin (think developer).
A good outcome of this is that the LOADER role can’t see the TRANSFORMER assets (i.e. STG and MARTs) which is nice because it could be a 3rd party tool/SaaS thing that has it like you mention. But if a human wants to do things, they can have the ADMIN role (and simply have the same access as owning the LOADER and TRANSFORMER’s assets all in one).
Then you can have even higher tier ADMIN roles for tools like Terraform to automate all this for you.