Why is this an issue?

Only users with the required roles should be allowed to trigger inbound action.

Best practices

All inbound actions (table Inbound Email Actions sysevent_in_email_action) should have roles mentioned in "Required roles" field to secure actions triggered from inbound actions.