Bug 4419495 shows that the J2EE 1.3 RI sets security permissions such that
a doPrivileged block is necessary when using reflection to access a
read method on an IDL Helper class.

com.sun.corba.se.internal.Interceptors.RequestInfoImpl does something very similar in insertApplicationException:

            // Find the read method on the helper class:
            String helperClassName = className + "Helper";
            Class helperClass = ORBClassLoader.loadClass( helperClassName );
            Class[] readParams = new Class[1];
            readParams[0] = org.omg.CORBA.portable.InputStream.class;
            Method readMethod = helperClass.getMethod( "read", readParams );
           
            // Invoke the read method, passing in the input stream to
            // retrieve the user exception. Mark and reset the stream
            // as to not disturb it.
            InputStream ueInputStream = appException.getInputStream();
            ueInputStream.mark( 0 );
            UserException userException = null;
            try {
                java.lang.Object[] readArguments = new java.lang.Object[1];
                readArguments[0] = ueInputStream;
                userException = (UserException)readMethod.invoke(
                    null, readArguments );
            }

Does this need a doPrivileged block as well?

I believe that this would only affect the J2EE RI, since all of this would be in the core JDK when run as part of Merlin.