Hello David
Hmm, that’s interesting. The only thing I can think of is that P2 is still installing P4’s Level-2 routes because IS-IS domain/area authentication does not affect Hellos. On some IOS XE/CML images, received LSPs are not strictly validated unless explicit validation is enforced, so mismatched passwords can still result in accepted L2 LSPs.
This looks more like an image or platform-specific behavior rather than an IS-IS rule. If you want deterministic behavior where a mismatch blocks routing, use interface or Hello authentication or explicit LSP validation (or HMAC/MD5 key-chains). It looks like domain passwords alone are not sufficient to guarantee rejection.
This documentation may also prove useful:
I hope this has been helpful!
Laz