In the properties of a microflow you have the setting Apply entity access. When this is set to true the access rights are checked for that user that executes this microflow. If this is set to false those access rights are not checked.
On the runtime level, the data permission is applied according to the rules (Access rules tab of the Entity) modeled. You can’t change them “on-the-fly”.
I would not advise you to create another security layer that you use in data management. This is possible, but it requires you to set the security in the model less restrictive. Hence, when you have a very knowledgeable user, he could bypass it by interacting directly with the client API.
Until now, using the Access rules including XPath could always work, also when using data-driven applications. So, focus on that design.
I could write o blog on it, how to do that. Could you share examples on what you would like to achieve?
Go Make It