A component is reachable by any other app on the device and is not protected by a permission. A launcher entry point is expected to be exported and is not reported.
An exported activity/service/provider without a permission is a public entry point: any installed app can launch it, feed it intents, or query it. Exported providers frequently leak whole databases; exported activities skip your login wall.
Other apps on the device can read data or drive flows you assumed were internal.
<permission android:name="com.you.PERM" android:protectionLevel="signature"/>
<provider android:name=".DataProvider"
android:exported="true"
android:permission="com.you.PERM" .../>