Network administration

IPSec. Tunnel and transport mode of the AH protocol, what is the difference and meaning?

I read about IPSec, I got to the operating modes of the AH protocol. I can not understand the meaning of the transport mode.
As I understand it, the transport mode in AH allows you to verify only the authenticity of the IP packet data (for example, the TCP header and its contents), but leaves this data open - that is, anyone can read it and, for example, find out the source and destination addresses of this packet. It can, of course, change the data, but then, when processed by IPSec, they will not be authenticated and will be discarded. But at the same time, it can change the header of the IP packet and send the packet wherever it wants (I understand correctly that even in this case the integrity will be broken, but can the data be read in any way?)
Now the question is in the tunnel mode logic in the AH protocol. It is written: in order to hide data about the source and destination in the packet, the AH protocol uses tunnel mode and ensures integrity already at the level of the IP header (and of course TCP + date). AH inserts a new IP header in front of the entire packet, and simulates the insertion, while calculating the new hash of the packet with two IP headers: old and new.
And meaning? Is it really also impossible to read the hidden header of the IP packet (by redirecting the packet to your address), because it is still not encrypted? Or am I misunderstanding something?