The Jakarta Platform has a very strong emphasis on the security manager, especially when it comes to TCK testing. A lot (or everything?) is tested with the security manager enabled, and constituent specs and implementations have to comply with that.
As the security manager has been deprecated for removal in JDK 17, I wonder if we should not start taking the first steps in EE 10 to anticipate for this, even though EE 10 is not targeting JDK 17.
Perhaps we could start with making security manager enabled TCK runs optional?