See the below text from our document on how to set up the security ourselves
Whenever you create a Site Collection, two O365 groups get created (xxx-Owners and xxx-Members). For retro-compatibility, these O365 groups are automatically added to the SharePoint groups at creation time.
(Note for SharePoint gurus: O365-xxx-Members is mapped to SharePoint-xxx-members, but O365-xxx-Owners is mapped to… Site Collection Administrators! Crazy.)
SharePoint membership grants access to SharePoint resources, while access to Teams features (Channels, tabs, apps) is controlled directly via O365 groups.
The problem with this model is we cannot add AD (Active Directory) groups (or even O365 groups) within O365 groups (no nesting allowed). So, if we want to give access to two different sites to the same people (say SSWDevelopers), we must add ALL MEMBERS manually on EACH generated O365 group. That is ridiculous, and hard to maintain long term.