The LWT is not checked for authorization.

Simple example:

const aedes = require('aedes')({ authorizePublish: (a, b, c) => c(new Error("Not allowed")) });
require('net').createServer(aedes.handle).listen(1883);

Now, from a client, connect and subscribe to "will".

From another client, connect with a last will message with topic "will". Then send a message to "test", breaking the connection (because of authorization failure).

Breaking the connection will trigger the LWT, and thus sends a message to "will", which can be seen in the other client.