I think I interpret 2.1.3 the same way you do with regard to a Domain + Policy situation. The key sentence to me is this one:
However, the Circle retains the right to amend or remove that Domain delegation, or to define or modify Policies that further grant or constrain the Role’s authority within the Domain.
So you can distribute exclusive control over property (a Domain) except as defined by a policy. That usually strikes me as a clean solution to this issue.