As far I tested the “Apply Entity Access” works as intended in Mendix 9.17 / 9.18. Not sure if this feature was “bugged”/”not implemented” in previews versions.
However, in your first example, you are performing a COMMIT. In that case, Mendix allow it, because we don’t have a “Allow Commit” access right.
As you can see, in Mx 9.18 you can’t, create / delete or change without rights.
Take a look at this learning path (Configure Advanced Security), specifically section 2.6.
Entity access is not applied in microflows, unless you set the property ‘Apply entity access’ to true. In my opinion, you should not use that setting, as it leads to other problems. The better solution is to not give a user role access to a microflow which deletes an object if you do not want that.