While property access rules are sometimes defined per-response, I think it would be reasonable to exclude any properties that are not readable or writable at the common model level (unreadable - from Entity, unwritable - from EntityUpdate).
Limitation: if per-request entity overlays re-enable previously hidden properties, they will still stay hidden in the OpenAPI model. This is not that different from a case when per-request overlays would define entirely new properties (those will also not show up).
While property access rules are sometimes defined per-response, I think it would be reasonable to exclude any properties that are not readable or writable at the common model level (unreadable - from Entity, unwritable - from EntityUpdate).
Limitation: if per-request entity overlays re-enable previously hidden properties, they will still stay hidden in the OpenAPI model. This is not that different from a case when per-request overlays would define entirely new properties (those will also not show up).