My theory is that there is already a list of pre-generated addresses, they are just hidden from the address book.
Spontaneous creation just un-hides the next one from the list, which doesn't require the password.
Correct.
But then why the manual creation doesn't do the same trick?
I grumble about this because it's very inconvenient how it works now.
Because currently when you create a new address, a new one has to be added to the list so that you dont run out.
To be honest it could be done better - it could just do it every n times, but that wasn't done...patches welcome or file a feature request on github:
https://github.com/bitcoin/bitcoin/issues