As far as I can tell, XLSReport uses OQL behind the scenes, so having entity access monitored looks impossible.
What worked for us was using the client API to retrieve data either via XPath or an access-protected Datasource Microflow, and then rendering the Excel on the client side with ExcelJS.