What is security context of Invocable Methods ran by Process Builder

Invocable Actions are called through the REST API. In fact, you can use them outside of flows, such as just calling them in JavaScript, or in Salesforce1, etc. That said, it makes sense that security would be enabled by default, since it can be accessed from any context. In fact, the Invocable Action can't even be called unless the user has profile or permission set access to the class. I don't think you'll find any documentation on it, though.

I've confirmed that invocable methods inside classes with inherited sharing will run with sharing when called from Process Builder. Which is unfortunate because Process Builder is supposed to essentially run without sharing. Maybe this was an oversight?