...
For instance, an immutable class that lacks the final qualifier can be extended by a malicious subclass capable that can change the state of the supposedly-immutable object. Further, the malicious subclass can impersonate the immutable object while actually remaining mutable. Such malicious subclasses can then violate program invariants on which clients depend, thus introducing security vulnerabilities.
...