As long as the sysadmin have access to the keys for decryption he could read mails. Per default mails are encrypted, nobody can login via the controlpanel to other mail accounts (You need to enable this in mailcow.conf).
Now my own opinion:
A sys admin have most of the time full access to everything (yes in big companies and certain ISO certifications not) and therefore - if he wants - even access to important data.
The best thing is to either enforce certain policies, trust your admin and/or move keys away so he don’t have access to decrypt data