[rowls66]

My understanding is that most of security defects in the JRE were related to the browser integration. The core Java sandbox was secure.

[papercrane]

Most of the high profile security issues have been either sandbox escapes or serialization issues.

The sandbox escapes were made worse by having applets in the browser.

Now that applets are not a consideration any more the sandbox (SecurityManager) isn't used very much anymore and the Java devs are looking at deprecating and removing it, so most of the sandboxing features will go away.

[em_te]

I remember when Java applets could prompt the user to accept "all or nothing" permissions and fine grained permissions wasn't supported.