Yes. Also keep in mind that layers are not just preventive. There are also detection layers. You can frustrate threat actors by reacting to their attempts to get past the password or some other layer by collecting logs and alerts. A simple example would be setting up ssh on your vps with password AND public key auth and the setup fail2ban. Of course it is very hard to bypass public key auth but even if you accidentally post your private key to github or have your personal device hacked, that is still one layer of defense to slow them down.
If threat actors spend sufficient resources they will get past any security layer. There is no such thing as absolute security, good security creates the most hostile environment for threat actors by requiring them to committ the most resources without interfering with normal usability of the system.
If threat actors spend sufficient resources they will get past any security layer. There is no such thing as absolute security, good security creates the most hostile environment for threat actors by requiring them to committ the most resources without interfering with normal usability of the system.