Port security and MAC Lockout
MAC Lockout is independent of port-security and in fact overrides it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command.
If a MAC Address is locked out and appears in a static learn table in port-security, the apparently "authorized" address is still locked out anyway.
MAC entry configurations set by port security are kept even if MAC Lockout is configured and the original port security settings are honored once the Lockout is removed.
A port security static address is permitted to be a lockout address. In that case (MAC Lockout), the address is locked out (SA/DA drop) even though it's an "authorized" address from the perspective of port security.
When MAC Lockout entries are deleted, port security then re-learns the address as needed later on.