I have a topic open regarding the lack of a required password for invites from a trusted user: https://meta.discourse.org/t/require-password-for-trusted-user-invites/13750
One of the possible solutions is a limitation on how long the tokenized invite link will work. Expiring sessions would be an indirect way of addressing the issue(s) I raised. Although, it seems like clicking on the original invite link would just initiate a new session regardless.