By default, forms and microflows "inherit" the security settings from the caller. For example, when calling a sub-microflow from a microflow that is part of the user interface, security settings are only required for the latter. This is also true for some forms: a "new/edit" form "inherits" the security settings from the object in the form (e.g. no create permission means no access to a "new" form), and a "select" form of a reference set selector derives its security settings from the user permissions on that reference.
Because of this, you'll only see the forms/microflows in the security overview that are the "starting points" for user interaction.
Microflow Access defines which microflows can be executed by users with a certain module role. The menu bar is optimized so that it only shows forms and microflows that the user has access to. It's not an error.