The startup microflow is executed in a system context so for all intents and purposes it has superuser rights (i.e. it is allowed to do everything).
There is no simple answer for this question Enzo. The reason is that first at all there are three project security levels: switch off, demo mode and production. The modeler makes security checks and if there are things to improved it shows a yellow light and background on specific security areas op project level.
Beside the project level you can implement security by different roles on each module. Those roles can be limited to specific modules only or combined on project level to one, several, or all modules.
Furthermore you can give a user role specific access possibilities like create, delete, read only, and exceptions on associations en rest services.