...
- The object's class is package-private and untrusted code cannot infiltrate the package.
- No objects of that class (or a subclass) ever escape its package, for instance, because of
thisreference leaks (which are described in CON14-J. Do not let the "this" reference escape during object construction). - None of the object's superclasses use synchronization at all.
...