Yes you can give access to non- persistable entities for anonymous users. Useful to create or delete objects based on anonymous role as per your choice. As an example in login page you may use Login entity as non - persistable as it is for some time and anonymous has to see login page.
Other uses as well of the non persistent entities(One Object) is that you can create many to one associations with Persistable entities(Many Objects) as well based on your requirement
The way you handle security from technical point of view for anonymous users is 100% equal to handling security for named users.
You need to define a User role (most logically named Anonymous) , this user role needs module roles (again name them anonymous) in the modules where data/function is situated for the anonymous user. Grant access to entities, pages, microflows in the same technical way as for module roles of named users.
However, as of today we do have 8 billion people on earth, which result that you do have in potention 8 billion anonymous users in the app. 8 billion people you don't know. A reasonable amount of this 8 billion has the profession of being hacker or do have the habit of doing stuff which they are not allowed to do.
In short: security for named users is very very important. security for anonymous users is 1000x more important. Thus choice you make on exposing data and function for anonymous users must be taken very carefully and very restricted.
TDLR: anonymous configuration is 100% equal to named users, but more careful