SecureClassLoader.getProtectionDomain is invoked by the launcher when loading the main class, so is part of the bootstrap path on most applications. Switching from using an anonymous class to a (capturing) lambda means we are loading a variety of classes and taking a small hit to startup and footprint on all measured startup tests.