I should’ve clarified that I’m using a secure domain, so anyone who arrives at the meeting URL must wait for a moderator to arrive and log in.
No, they can’t enter the room before the moderator, but they are automatically admitted immediately after the moderator authenticates and enters the room.
So if the moderator is “running late” and logs into the room just a couple minutes before (or after) the scheduled start time, then everyone who was waiting is just freely admitted. That doesn’t seem desirable and is not the behavior I’d expect.
I do understand that the lobby can’t be enabled until the room exists, but perhaps there should be a “start meeting” (or “open the doors”) feature that only moderators can invoke. Otherwise, the lobby is just trivial to bypass.