I'm getting lots of warnings that say "such-and-such a microflow specifies module roles but is not used publicly". I think these are microflows that are only called from other microflows. Can they safely be ignored or is there an easy way of getting rid of them? Is it a problem if a microflow calls another and the called microflow has tighter permissions than the caller?
Yes these Microflows are only called from other Microflows (or Java actions), meaning that setting security on them is pointless and could give you a false sense of security, as Microflows can always be run by other Microflows and security only prohibits a user calling one directly. I would remove the security on these Microflows instead of ignoring the warnings.