The Sets returned by the variant Subject.get* methods that take a Class parameter (getPrincipals, getPublicCredentials, getPrivateCredentials) enforce the same permission checks that are enforced on the original Sets in the Subject, even though the returned Sets are not backed by the original Sets. I see nothing in the spec about this, nor do I see a good reason for it. (There was a good reason back in EA days when these were still backed by the original Sets.)