Project security checks that all entities have at least 1 module role that has access to the entity.
I personally often use submicroflows to create entities for system purposes only, and things like webservice mappings.
These submicroflows are not accessible directly from the user interface either.
It would be nice if there was a way to avoid these entities being picked up in the security check, as nobody is allowed to perform any CRUD actions on these entities directly and therefor do not require a "role" to have security access.