All the access management possibilities are explained in "Controlling access to source control in Rational Team Control".
The "Read protect some components but give public access to others" is close to what you are looking for.
But you can also protect at the folder level for a specific team area.
Prior to RTC 40, there was no access control on the folder or file level in the repository so keep this in mind when laying out your file system with certain documents that should be hidden. Access control at the file and folder level was added in RTC 4.0.
Regarding the "scoped" notion:
For components owned by the project area, its access is scoped the same way the project area is.
(so only the member of the project area can see/access it)
For components owned by an individual user, the owner can specify how it is scoped.
That is why you get the:
You cannot change the access control on components owned by project area and team area.
They inherit their access control settings from a project area or team area.
You need a component owned by a user in order to change its visibility.