In the presence of a security manager and a restrictive system-wide security policy, untrusted code is prohibited from performing privileged operations. For example, instantiation of sensitive classes such as java.lang.ClassLoader is prohibited in the context of a web browser. At the same time, it is critical to ensure that untrusted code does not indirectly use the privileges of trusted code to perform privileged operations.
Most APIs install security manager checks to prevent this, however, some do not. These APIs are tabulated below, with the exception of the loadLibrary and load APIs. The loadLibrary and load APIs throw a security exception if the caller does not have permissions to dynamically link the library code. However, it is they are listed as unsafe because it uses they use the immediate caller's class loader to find and load the library. Moreover, because the loadLibrary and load APIs are typically used from within a doPrivileged block defined in trusted code, untrusted callers can directly invoke it, without requiring any special permissions.
...
Classes that have the same defining class loader exist in the same namespace but may have different privileges, depending on the security policy. Security vulnerabilities can arise if the trusted code coexists with untrusted code, and both have the same defining class loader. This is because untrusted code can freely access members of the trusted code depending on their accessibility. If the trusted code uses any of the tabulated APIs, no security manager checks are carried out (with the exception of loadLibrary and load).
Sometimes untrusted code is loaded by a class loader instance that is different from the one used to load the trusted code. Security vulnerabilities can arise if the untrusted code's class loader delegates to the trusted code's class loader. In the absence of such a delegation relationship, the class loaders ensure namespace separation and disallow untrusted code from observing members or invoking methods belonging to the trusted code.
...