apply entity access Y/N only affects if access rules are evaluated IN the microflow, executed on the application server.
The moment you send data from a microflow to the client, entity access rules will be applied and thus objects the users doesn't have access to, will be excluded.
TLDR; this is expected behavior. And luckily it does work like this, otherwise you would be able to read data your aren't allowed to.
Hi Torsten Bert,
In Mendix all the external data’s are added as Mendix object attributes through a structure. That structure is a entity which includes all needed attribute to DB. To access the data , the created useroles must be authorized to access those data where it is about Read or write/creating or retrieving Mendix objects. The created roles must have access right to both data source (DB) and operation(maybe microflow). I hope it helps.