AppOmni publishes a commercial solutions that provides a host of security tools. Examples include Showing Who Has Access to What and logging things that don’t normally get logged by Salesforce Shield. They recently published a report called Understanding Salesforce Flows and Common Security Risks.
It discusses many elements of Flow security, some of which have not gotten much attention. For example, they point out uses of Conditional Field Visibility that can lead to sensitive information being accessible: