...
For the purposes of complying with SER13-J, it is permitted to to assume that, if an ObjectInputStream contains a whitelist, then control will pass to the readObject or readResolve method of a class C only if C is on the whitelist. In other words, class C does not need to check that it appears on the whitelist; it only needs to check that a whitelist exists. This eliminates the need to perform a redundant check against the whitelist, and it enables compatibility with a greater range of whitelist implementations.
...