There are separate controls assignable to Security or Access Permissions Roles. There are controls for MDM, for OSD, Browser Security and the general Endpoint controls. Device Control Plus appears to apply to a generic Security Add-On.
MDM has a control for Group Management. Presumably Edit rights can be provided to technicians on Custom Groups.
Browser Security has controls for Policies and Extensions. Selecting a computer object allows technicians the right to associate the computer object with a policy via the Associate Policy button.
However, there are no specific controls for Device Control Plus. The only options are available in Security Add-On controls, and do not include Custom Group management options.
In Device Control Plus, it is preferable to 1. create a policy, 2. deploy the policy to a Custom Group, and 3. apply device restrictions to the Custom Group.
While it is true, technicians can add devices to existing Trusted Devices lists, and can be given privileges to grant Temporary Approval to specific devices, they cannot EDIT computer objects associated to the Custom Group for a permanent deployment. Only full platform administrators can do this.
If there were a separate Device Control Plus control section that could apply Access Privileges to a specific Role, and it included Custom Group Management, then such Custom Groups could be shared and edited by select technicians, rather than limiting this stictly to full platform administrators.