Only the "starting points" of user interaction are visible in that overview, because those are the only ones where security needs to be specified. For example, a form used in the navigation menu needs its security to be specified, while a form opened from a microflow "inherits" the security from that microflow (i.e., if you're allowed to call the microflow, you can automatically view the form). The same applies for microflows calling other microflows, forms containing data source microflows, event microflows (e.g., before commit) on an entity, etc.
If this wasn't the case, you could create weird situations where a user is allowed to execute a microflow, but the microflow then fails with a security error when trying to open a certain form.