linux

Creating a jump host server. Access is opened on the Remote Server directly, although my local pub_key is not on the Remote Server, why is this happening?

I'm trying to figure out ssh and how it works. You need to create a Jump server, the scheme is simple:
local machine --> jump_host_server --> Remote server
Everything should be very simple:

• Jump Server stores my pub key
  
• Jump Server's pub key is stored on the Remote Server
  
• My local pub key is NOT stored on the Remote Server
  
• Access must be resolved via authorized_keys on the jump server
  

What steps did I take:

• On the server that plays the role of Jump Server, I added my pub_key to authorized_keys and added the settings command="echo 'No command'",no-pty,port-forwarding,permitopen="remote_server_ip_address:22" ssh-rsa AAAAB3N
  
• On the Remote Server, I added jump server's pub_key to authorized_keys
  

Access must be through the command ssh -J [email protected]_address [email protected]_address
And everything even works! But.....

• After these manipulations, I can go to ssh [email protected]_address directly , which is very bad and should not happen ( I did not create aliases in ~/.ssh/config if anything ).
  
• If I remove jump_server's pub_key from the Remote server, then I won't be able to connect to [email protected]_address directly
  
• But as soon as I return Jump Server's pub_key to authorized_keys on the Remote Server, I get DIRECT access back via ssh [email protected]_address
  

To summarize a bit:

• Remote Server must be accessed exclusively through Jump Server
  
• Access rights to Remote Servers must be resolved via authorized_keys on the Jump Server
  
• The user should not have access to the Jump Server, only use it as a kind of proxy to jump to other remote servers. What is resolved via authorized_key via command="echo 'No command'",no-pty (lock the console (no-pty), and the execution command will be echo)
  
• Access control to Remote Servers is done through setting permitopen="remote_server_ip_address:22" in authorized_keys for each pub_key individually
  

And the main questions:

1. Why do I have direct access via ssh [email protected]_address if my pub_key is not stored in authorized_keys on the Rempte Server?
   
2. If I comment out my pub_key in the Jump Server's authorized_keys, I can't access the Remote Server with ssh -J [email protected]_address [email protected]_address , but I can access it directly with ssh [email protected]_address what happens?