...
However, the security manager checks are bypassed if the class loader of the immediate caller is the same as or the delgation ancestor of the class loader of the object on which the API is invoked. Consequently, untrusted callers who do not have the required permissions but are capable of passing the class loader check, are able to perform sensitive operations if the trusted code invokes these APIs on their behalf.
...