1/2 - It's impossible for the client to know if your object will or will not conform to your restrictions until you've actually created it. As such, the constraint you describe will not explicitly prevent a user from creating objects, nor will it remove any buttons. Obviously with the constraint you describe is impossible to circumvent, but the client doesn't know that.
3 - By default, entity access is disabled in microflows. This is specifically so that a developer can perform their own validations and allow a user to change objects they would not be able to otherwise based on internal logic. If you turn on entity access in the microflow properties you should trigger an exception on click when changing attributes. Once again, this will not prevent you from creating objects as detailed above.
The permissions to create or delete are set separately to any x-path constraint. There are checkboxes for this in the entity permissions