Your argument boils down to "I came up with one scenario where this is bad, so it can't work at all" and I find this dissatisfying. If this hypothetical student "shared" their user account and then disavowed giving it out, you would have the same issues.
>How do you solve problems arising from bad actors without an object representing the user?
In response to the argument that user objects are no longer needed, even for something like virtual meetings. The scenario of zoombombing isn't something "I came up with", it's a real life scenario that having a user object helps prevent bad actors with.
In the event of a user sharing their account, you would know who it was and be able to hold the bad actor accountable, as opposed to a meeting URL being shared. I think the better question is why you are so hostile to the idea of user accounts having utility.
You can easily generate individual share links for every pupil and sanction the one whose link was used by a hundred random people from all over the world to join the conference. Jitsi and Big Blue Button are both able to handle this special use case where users aren't trusted to act in good faith I believe.
You can just make your own list. Generate 20 links, paste them somewhere, have your list of students next to it. Delete the list if nothing happened, check which number offended if it went wrong.
If you can trust the platform, in cases where the school hosts the program itself, the names can be added to the links directly. You don't need a big db of students for this, just an ephemeral list of strings.
https://en.wikipedia.org/wiki/Zoombombing