that is correct
behind the scenes certbot creates a new certificate and update references in the old certificate to the new certificate. This saves having multiple version of the parent domain.
e.g if initial cert was for tld.xyz with one SAN for www.tld.xyz
If at a later date you wanted to add portal.tld.xyz certbot would just create a new certificate that covers tld.xyz SAN www.tld.xyz and portal.tld.xyz and update the live folder with the new key and certs
--expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains.
Andrei