A user role defines the user's rights and access for the whole application, while a module role defines what a user can do and access in a specific module. User roles (on app level) can be assigned module roles, so that users have specific access to a specific module.
For example, a user role ‘Manager’ that has the module role ‘Approver’ in module X makes that app users with the ‘Manager’ user role only have access to the stuff (objects, pages, microflows, etc.) that are assigned to that module role in module X. If the user role ‘Manager’ has no module roles in module Y, users with the ‘Manager’ user role don't have any access to anything in module Y.
This way you can really fine-grain your role based access control throughout your whole application.
The module roles ensure that modules are, well, modular. Because you can import and export modules between different Mendix apps you cannot use the project roles to assign security. You can assign project roles with module roles to more easily transfer security rules between Mendix applications. Project roles are stored in the UserRole entity in the System module. A User is another System entity which handles all authentication and access rights management with those UserRoles.
So I can have a User named Mark who is an Administrator, which is one of the roles defined in the project settings. My application has a module named TicketSystem which has an TicketAdmin role. I’ll assign the project role of Administrator to the module role TicketAdmin. Now every Administrator in my project will have the module role TicketAdmin which allows them to manage tickets.
If I want to have the TicketSystem module in another application, I can just export the whole module and then assign the TicketAdmin role to any of the roles that are defined in my other application.