...
- it sufficiently documents that callers must not pass objects of this class to untrusted code,
- trusted callers do not use any untrusted classes that violate this guideline directly or indirectly,
- the synchronization policy of the class is properly documented
A client may use a class that violates this guideline, if all the following conditions are met:
- it does not not pass objects of this class to untrusted code by using suitable encapsulation
- it does not use any untrusted classes that violate this guideline directly or indirectly
Risk Assessment
Exposing the class object to untrusted code can result in denial-of-service.
...