If the security association isn't completed on a "must-secure" configured port then no traffic is transmitted. One would need access to the pre-shared keys to successfully use the link.
Now, could one perform a side-channel attack of the memory on the camera and get access to them? Maybe.
Sure the switch will only accept encrypted L2 traffic...but that encrypted link is set up via MKA, which is a part of the 802.1X standard. If you don't have 802.1X authenticating the endpoint, you don't have MKA setting up the encrypted link between that endpoint and the switch and you don't have MACsec.
So if you're trying to prevent a bad guy from getting on your LAN, you need 802.1X, whereas MACsec is an optional extra (a very useful extra if you're worried about MITM attacks). But 802.1X is still doing the heavy lifting w.r.t access control.
Cameras are on their own VLAN. Port isolation is enabled so they can't connect to each other. Only connectivity allowed to/from that VLAN is from the cameras to the router for NTP, and from the NVR to the cameras.
So if you plug in you can... check the current time on my router. Maybe see how many other cameras are on that segment? Likely not going to get very far given you're already caught on camera, an alert's been fired, and pretty soon I'm going to be making a call to the police.
It's not veering, it's a full on car crash ;)
You run MACsec either with 802.1X, or with your switch vendor's favorite color of proprietary switch-to-switch 802.1X replacement. MACsec without 802.1X [or equivalent] is a bit like TLS without certificates. It exists in a few places because some people have really weird custom requirements (TLS with pre-shared keys… TLS with NULL encryption…) but those things shouldn't drive a discussion outside their special usage areas.
In that sense: MACsec implies and requires 802.1X. Exceptions confirm the rule.
The absolute low-tech solution would be to dedicate a switch for it.
If you have decent infrastructure with a managed switch, you can easily create a VLAN.
Besides the fact that the female RJ45 is usually inside the dwelling. You'd have to unmount the camera, pull out the cables and connect to it, all at typical heights of 6' and above. That's maybe a concern in commercial setups, although then we're circling back to VLAN.