The JavaMail spec is clear enough about what should (must) do the implementation. As Chris already said, it returns the actual message content. Security isn't handled in this step. Any implementation altering this value doesn't follow the spec. Any application relying on extra security checks would be based on a implementation (defeating the portability goal), not on the API.
This bug should be closed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]