I have an application that has an anounymous user and registeration page,
This anonymous user can manage another role called public user role,
I have an user account entity which inherits from the account entity.
And I applied the security on the level of my user account enity for the anonymous user role and prevent reading and writing or (even if the anonymous user role has no access on the level of my user account entity)
When I send a hacking request without login(Anonymous user), I can read the data for the user account with the public user role .
So because the anonymous role can manage public user role and Mendix will ignore any entity acess applied on user account entity for public user role.