Not sure if this is by design or a bug, but I just noticed that if I originate a meeting on Jitsi Meet, and activate lobby mode as well as set up a password, a user requesting access that I then grant does not need to additionally enter the password to enter the meeting. Also, if the user knows the password, they can enter the meeting even if I reject them. So, if this is by design, it suggests to me that one should still keep any password well guarded (and/or frequently changed if using a meeting URL more than once) because rejecting someone in the lobby will be bypassed by the user knowing the meeting’s password. That is, using both lobby and a password do not seem to provide two layers prior to entry into a meeting.
You’re right. This is the way it currently works. If a user has a password, they bypass the lobby. So instead of two layers, it’s actually an either-or.