Couple of questions about SMB versions and encryption on SCALE

I had the following settings via cli API as a test:

server min protocol = SMB3_11
server signing = mandatory
client smb encrypt = desired

However i’m still seeing successful connections from 2_10 and 3_02 clients. Only if i remove AES-128-CCM from server smb3 encryption algorithms, they can’t connect but weirdly on shares that does not enforce encryption. So how exactly does min protocol work on samba?

Also, is server signing = mandatory redundant since i don’t support SMB1? According to MS documentation, signing is always enabled on SMB2 and newer.

Third question, does encryption supersede signing on Samba? Microsoft says it does but in TrueNAS SMB sessions i still see BOTH signing and encryption actions on a share that requires encryption.