The reason when you delete a user from one model, it deletes the user from other models within the same workspace is because the user provisioning is done at the workspace level, not the model. You provision a user to a workspace, then from a model perspective you give that person access to the model, as well as roles and selective access within that model.
No, it is not a flaw, it is how Anaplan architecture works and understanding the architecture is key for any software product. You have models encapsulated within workspaces which are encapsulated within a tenant. The protection is before you delete a user, it asks if you are sure? When you say yes, it will delete the user from the workspace. If you only want to remove access to the model, instead of deleting the user, you need to set the user to No Access for the model.