I suggest an idea which needs to exists on the API of Dynamics 365n and the company needs. When you restrict an entity to a security role, even if another entity doesn't have access to an entity keep appearing on the api request /entities or /EntityDefinitions. I would suggest to have a field that will tell if the role has access to an entity or not. Or, not show the another entities that the role doesn't has acess.