See the source code on that:
As you say correctly, of course you've to take care: as a common denominator an id is used, in case of e-mail a certain mail address, whose e-mail channel for communicaion functions as the key exchange channel, too (meaning the devices send themselves messages ("beacons"), which are considered as technical messages by the p≡p engine and thus never shown to the user as such).
=> If you fear to have a cell phone hacked or lost, it's better to not put that in a device group. Also you can seperate business from private accounts or have different accounts and on top of that aliases for whatever purposes, referencing the same id (mail address). In short: you can have (like mostly today) no device group at all or just different device groups meeting your needs and "paranoia levels" (based on the trust you put in your devices).
The devices agree on a device group key pair, being the master key pair, still they sync all devices' private keys for that specific id, such that you can read all of your messages received on all of your devices (even if there were changing pubkeys in between used for encryption, because of your different devices, which were not yet synced in the past).
If a device is lost or stolen, that has to be manually signalized by one of the other devices in the device group and then the devices have to agree on an new device group key pair to encrypt their future communications (we're talking of PGP encryption here, so no forwad secrecy).