I think you are right. This fine configuration isn't possible.
On the other side we use the basic role of reviewer with an approval flow to validate a task by team member that don't need full access. They are able to leave a comment, upload a document and approve (or reject) the task.