Reflection with the permissions of trusted code is one of the "ultimate" security breaches in Java. Never permit untrusted code to invoke any API that eventually uses reflection to accomplish its actions.

Exception: Such transitive invocation is permitted when both (a) the arguments are fully sanitized (e.g. both sanitization and taint analysis are successful) and also (b) the results of the reflective operations are fully hidden (e.g. those results do not leak as per new-SEC05).