Jakarta EE is specifically mentioned:
"Jakarta EE has several requirements on the Security Manager. These must be either relaxed or removed in order for compliant applications to run on future Java releases after the Security Manager is degraded and then removed."
Now I've personally been arguing for not using/depending on the security manager in server side code for a long time. The idea of running potentially untrusted code on your own server always struck me as awkward and something you would not do anyway, even when running multiple applications on a single server instance was still somewhat of a thing.
The TCK and GlassFish use the security manager a lot, so that would have to be removed depending on the final outcome of JEP 411.