The only thing remotely inforceable is caller class checking. You cannot
bypass an exception with setAccesible. Oracle went and removed
Reflection.getCallerClass() completely in favour of StackWalker. At least
we can share the SecurityManage ClassContext, SecurityActions seems the
appropriate venue for our stack trace peek to support the older versions