Patrick,
If these are ‘production’ entities (i.e. they contain information required for the application to function or are entities that maintain critical business information, I would not open them directly to anonymous users. At a minimum, I would have the Deeplink create objects using an interim entity and institute an approval process where named users (maybe admins) of your application would need to review and approve the anonymously created objects before they are copied to the actual entity. This would maintain some distance between anonymous users and your core data.
I don’t think a sniffer could uncover what entities are being created (the microflow actions called by a deeplink are not exposed in any way). But a hacker could easily call a deeplink repeatedly in an attempt to overwhelm your app, without knowing specifically what the deeplink does.
Hope that helps,
Mike