Hmmm... If you put your custom password page within the same prototype that you're password protecting, then yes they'd be able to change the URL to see the whole project with the sidebar. If you upload your custom password prototype to a separate ID and have that page link to your project only if the correct password is submitted, then that could help with the URL-changing aspect of the workaround since there wouldn't be anything else to see even if they expose the sidebar (though the main project would still not have a password).
You could also try using a global variable and conditions to control whether the other pages can be viewed before the user has visited and provided correct input on the password page. For example, OnPageLoad of your other pages, you could try something like this:
If value of global variable [[OnLoadVariable]] does not equal [[CorrectPWProvided]]
–Open link to [[123ABC.axshare.com/passwordpage.html]] in New Tab/Window
–Close Current Window
And then on the password page, when the user submits the password, set the variable above to the value that you're checking for OnPageLoad of the other pages, and then link to the landing page. In a quick test on my end it looks like that should keep users from viewing the content on other pages without providing the correct input, since it'll close the tab and open the password page in a new one without the sidebar. It may be a bit wonky, but hopefully it helps a bit or sparks ideas if you need to have the plugin running on your password page!