I guess (and it really is a guess!) that it is because the server does not store a shared note in a folder for the webserver component but instead generates the note from the database on demand when presented with the share token.
The author of Joplin has commented on the issue of a published note password when the point has been raised in the past.
and (taken from this post)
I don't expect this to ever be any different. I feel supporting a password wouldn't make sense because the password is the share key (the URL ID). I guess if someone requires extra security they can always send a part of the URL via one channel and the second part via another one. Share keys are a 32 characters nano-id, and it would apparently take "more than 1 quadrillion years needed, in order to have a 1% probability of at least one collision", so that sounds secure enough.