By default, access rules are not applied for microflow actions. So you can retrieve, delete, change objects, even if you don't have the domain model access, but do have the rights to execute the microflow which does these actions.
So, a retrieve action in a microflow, will retrieve all objects, but if the objects are passed on to a page (for example, if it's a datasource microflow), you will still only see those objects you are allowed to see.
But, for example, if you don't have delete permissions in the domain model, but you do have permission to a microflow, which has a delete action, you are allowed to delete an object.
Another example: if you do a retrieve, and then a delete action, you can delete all objects, not only those for which you have domain model rights.
If you want to ensure domain model access rules are applied in microflows, you can set the option 'Apply entity access' to yes.
Then, the domain model constraints will be applied.
See the documentation for more info: https://docs.mendix.com/refguide/microflow#apply-entity-access
By default, microflows have the option 'Apply Entity Access' set to 'false' (also recognizable by the white background in your microflow). This means that no access rules set in the Domain Model are not applied. This is easy because otherwise any microflow triggered by a normal user would never be able to reach any data that, even though they aren't allowed to read it themselves, might affect the flow of the microflow.
If you want, you can turn on 'Apply Entity Access' in order to apply the domain model entity access rules in that specific microflow. This will turn the background of your microflow a faint yellow.