Yup. The security isn't (only) there to protect your production app, it's there to keep the apps from doing (what we would consider) illegal things and to keep it portable.
You don't want to deploy on your sandbox, have the POC up & running, tell the customer he can buy it and only then realizing that it doesn't run in production.
Thanks Achiel, I wasn't so much questioning the reason for the existence of the Java security restrictions but what is the process to relax those rules in development. The Support Portal isn't streamlined for dev requests. I tried and it was confusing.
But thanks for the explanation, I fully agree.
Also I'm working in a different timezone, so it might take long to get a reply to these requests even if we did work through the Support Portal.
I will simulate Cloud Security and exclude these restrictions locally before asking Support Portal to relax them per batch.