I noticed a small obstacle while porting code to the Java 9 instrumentation API. It is now required to pass by a security manager to read the class loader from the module (via Module::getClassLoader).
This was not required using the old API. In this sense, it is not really more secure since I can always fall back to the old API but I need to ask a user for an additional privilege that I did not need before if I want to use the new API and a security manager is active. Would it make sense to provide the class loader as an additional argument in the new instrumentation API to avoid this?
