This assumption is correct if you apply entity access in the DS microflows. If you don't apply entity access in the DS microflow, the logic is different, as the access constraints are not added in the microflow retrieve. The response will be the full list of objects. The objects the user has no access to will only show the GUID, hash and ObjectType, but no attributes(see screenshot, object 0 is one the user doesn't have access to, while the user does have access to object 1).
Retrieving data from DB in a nanoflow is different from a microflow, as the nanoflow always applies entity access.