...
Mutable classes must provide either a copy constructor or a public static factory method that returns a copy of an instance. Alternatively, final classes may advertise their copy functionality by overriding java.lang.Object's clone() method. Use of the clone() method is secure only for final classes; non-final classes must not take this approach (see OBJ03-J. Sensitive classes must not let themselves be copied.)
Trusted callers can be trusted to use the provided copy functionality to make defensive copies before passing object instances to untrusted code. Untrusted callers cannot be trusted to make such defensive copies. Consequently, providing copy functionality does not obviate the need for making defensive copies either of inputs received from, or of outputs that are returned to, untrusted code.
...