The userrole 'admin' is mapped to one module role 'admin'. There is an entity called 'MyTest' and has an xpath constraint for the module role. The xpath constraint: [false()]. I assume this means that now a user with the admin userrole is not able to read, write and delete on MyTest. Also, the Mx Framework will hide buttons according to the xpath constraint. However, the datagrid on MyTest allows to create a MyTest record. It saves the record in the database but the record is not visible. So, I cannot read and delete, but I can write. Also the New, Edit and Delete buttons are visible in the datagrid, where I though they would be invisible due to the Xpath constraint. A simple microflow that does a create and showpage and has entity access applied works. When putting the constraint to [true()], I am able to read the records. Why are the New, Edit and Delete buttons visible on the Grid? Why does the constraint work for read and delete but not for write? Why does the microflow work despite of the applied entity access?
1/2 - It's impossible for the client to know if your object will or will not conform to your restrictions until you've actually created it. As such, the constraint you describe will not explicitly prevent a user from creating objects, nor will it remove any buttons. Obviously with the constraint you describe is impossible to circumvent, but the client doesn't know that.
3 - By default, entity access is disabled in microflows. This is specifically so that a developer can perform their own validations and allow a user to change objects they would not be able to otherwise based on internal logic. If you turn on entity access in the microflow properties you should trigger an exception on click when changing attributes. Once again, this will not prevent you from creating objects as detailed above.
The permissions to create or delete are set separately to any x-path constraint. There are checkboxes for this in the entity permissions