Monitoring Service 1.6.0 does not check user has the right to enter the archive
According to XEP-0313 MAM, 1 a MUC archive MUST check that the user requesting the archive has the right to enter it at the time of the query and only allow access if so.
This is currently not the case for password protected rooms. Any user can access the MAM archive without being prompted for a password.
However, section 5.1.2 MUC Archives 1 is respected and working correctly for moderated chat rooms.
FYI, 1.6.1 is currently removed from the site as it is unusable.
Fixes in version 1.6.1 of the monitoring plugin.