Mx7 is more strict with the security rules. But since these are non persistent entitties and assuming they have no reference with the session of that user I would just give read access to those entities. I would not worry much about the deliberately chosen not to give access part. It might just as easily be that they have forgotten and since it worked nobody ever thought about them again.
I am doing now the same thing – updating the app from 6 to 7 – and ran into the same errors. :)
From the mendix docs, section 4.3 explains this breaking change:
Their recommendation is to use “ A separate object (which is not sent to the client at all) … for these attributes instead. “