Threat modeling and enforcement of the principle of least privilege:

What scopes or API keys does microservice minimally need to access other microservice APIs?

What grants does microservice minimally need to access database or message queue?

Data leakage analysis:

What storages or message queues do contain sensitive data?

Does microservice read/write date from/to specific database or message queue?

What microservices are invoked by dedicated microservice? What data is passed between microservices?

Attack surface analysis:

What microservices endpoints need to be tested during security testing?