The java-security-manager-deprecation not withstanding JEP-411 (Deprecate the Security Manager for Removal), would enabling sandbox mechanism by leveraging the java security-manager (and associated class-loading mechanisms) be a good approach?
As I understand it (and mentioned in the JEP-411 as well), they were originally intended to do just that - keep applets from running rogue code.
So the most reliable technique, spanning across libraries (since the same vulnerability can be introduced theoretically in any open-source library), would be to enable the sandbox mechanism ?
This way the remote code would end up being loaded from the temp-dir or some non-approved location. Thus it would help keep applications safe inherently rather than rely on external mechanisms to protect the application.
Is my understanding correct ?
Note - As per the original JEP-411 entry, the approach to securing environment is by alternate means, including and not limited to - use of containers !