Hi Rob,
I fully agree with you, there are plenty of examples of entities where any user may at least read all records. For example a Country table listing all countries.
I think QSM doesn't necessarily tells you this is wrong, it's a finding telling you: possibly this is a security risk. If this isn't the case, you can accept this finding (at least: that's how Omnext works). And in general I agree with this rule of QSM leading to this finding: if you have entity access enabled, you do care about security, but it seems incomplete when there is no XPath constraint defined.
Regards,
Johan