Not really. It's dubious at best for applets; I haven't used it, but I don't know of any mechanism in the applet environment that prevents libraries from accessing the same APIs as main(), and executing the same side effects. Outside that context, I know there's no such mechanism. Libraries can open whatever files and sockets they feel like, no capability-based permissions required.