That anyone can edit any of those entities. I guess you could compare it to opening up your datastore like a wiki, anyone can edit. If that doesn't bother you, it's fine.
But in your example of users which have forgotten their password it is recommended to create separate entities to which the guest user has access. Always try to create sort of an proxy in front of your normal application to make sure that the guest users are not only allowed to edit your main application but do have full acces to your 'proxy module'
You always have to make sure that the guest user can do as little as possible, in your example you should create an IForgotMyPassword entity which can be fully edited by a guest user. With an microflow (commit or save) you should change the correct user object.
This way guest users can't acces important objects in your application but is it still possibly create this function.
The Public Profile applications in the Appstore shows exactly how you can use deep linking to enable password recovery.
Yes but if you need to enable users to reset their password it is not enough to enable 'guest access' in the deeplink definition itself. They are anonymous because they have lost their password.