Are dependabot alerts only based on the dependencies shown in the dependency graph?

Hi!
I’m currently doing research regarding vulnerability detection and I’m in the process of including Dependabot to my research. I would like to know if Dependabot finds vulnerabilities based on only the dependencies shown in the dependency graph of a repository. The docs hint that this is how it works when they state

For a list of the ecosystems that GitHub can detect vulnerabilities and dependencies for, see “Supported package ecosystems.”

which links to the article about the dependency graph. I’m wondering if this is the correct conclusion.