Support

Please read the information under "Browser cookie override for the administrator secret URL parameter" in https://www.akeeba.com/documentation/admin-tools-joomla/waf-configure.html#waf-configure-basic-protection. Since you've already used the secret URL parameter once, there's a cookie in your browser which "remembers" you did that, allowing you to continue even though you did not enter it again. If you want to try whether this feature works use Private / Incognito mode in your browser, ideally from a device with a different Internet connection – a mobile phone or tablet on a cellular connection would be the simplest way.

Regarding our site, the search is at the top right of the page. The little magnifying glass icon. It takes you to DuckDuckGo with a preset query to search our site. Append your own query to it and hit that search button. As to why I chose to implement it like that: Joomla's Smart Search is incredibly slow, it uses up a monumental amount of database space, it gobbles up CPU and memory like kids do candy the day after Halloween, and it returns far worse results than any search engine I tried. 

The secret URL parameter feature itself depends only on cookies. This feature sets a session flag, and optionally a cookie. The session depends on a cookie set by Joomla. So, the dependency is Joomla's session cookie, and the optional cookie set by Admin Tools itself. These cookies are unset every time you run the Private Browsing mode.

However, if you whitelist any IP on your site then every time you access your site for a whitelisted IP address ever security feature, including the secret URL parameter, will not apply.

That's why I asked you to use Private Browsing "ideally from a device with a different Internet connection – a mobile phone or tablet on a cellular connection would be the simplest way". You see why I am using this specific phrasing? Using the Private Browsing mode deals with the cookies. Using a different Internet connection deals with whitelisted IP addresses. 

The latter seems to be the case:

I also have admin IP restriction activated: that works

When you try to access your site's administrator from an IP added to the Administrator Exclusive Allow IP List no security measures are applied against you, including of course the secret URL parameter. As per the documentation:

IPs added to the Administrator Exclusive Allow IP List are fully vetted as far as Admin Tools is concerned. This means that no security measure will be applied against them. Please place only very well trusted IPs in this list! If an attack is launched from this IP, it will not be blocked by Admin Tools!

Mystery solved!

Another thing that is not working is the custom meta content generator tag. I have it set to be the name of my website and it used to work (overriding the Joomla tag). Now there is no generator tag at all (which is fine by me). Granted, I haven't checked this in ages, so maybe it stopped working before my switch to the load balancer.

Admin Tools tells Joomla that the generator meta tag content should be whatever you typed. Whether a meta generator tag is output at all depends on your site's template.

Also note that other plugins on your site may choose to change or remove the generator meta tag.

The load balancer –whose only job is to route requests to two or more internal servers to equalise, nay, balance the server load on them– has absolutely nothing at all to do with your site's output.