Clarify whether/how to integrate the SecurityManager

[struberg]

Currently the whole config approach assumes that all the information is available in the whole ClassLoader/application.

If someone want's to guard against such an access, then this should best be done via the SecurityManager. But how to integrate this best?

[struberg]

We might also end up with coming to the conclusion that we don't want to define this in the spec and leave it to the implementations whether they want to have it.