Yes, the root server should be able to be configured so that it does not download files from the internet and the top level relay would do that instead. I have never done this, but as far as I know it should work.
You want to configure the following on the top level relay:
_BESClient_Download_Direct=1
_BESGather_Download_CheckParentFlag=0
_BESGather_Download_CheckInternetFlag=1
_BESGather_Download_CacheLimitMB=SOMETHING_LARGE
This should allow the top level relay to handle the storage and downloads of internet files, which will take that load off of the root server. This is nice because it is much easier to swap out a relay as needed than to do so with the root server. It also allows the root server to not have internet access but still allow internet facing downloads to function.
If your installation is large enough, then it makes sense to have what I would call a “Super Top Level Relay” which is designed to take as much load off of the root server as possible, including internet downloads, message level decryption, etc…
The root server could be configured to use a proxy with very limited access, and the top level relay could also use a proxy if needed, but with broader access.
You can go a step further and have this super top level relay masquerade as the root server in a configuration called “hidden root”.