Should we just re-purpose this report as from a bug to an enhancement to "Wrap ServiceLoader calls in privileged block"?

As for the where/how to best achieve this... Why not just in ClassLoaderService#loadJavaServices itself? Unless I am missing something, the whole point is to apply the privileges granted to Hibernate to these calls. Maybe you envision users granting different privileges to different parts of Hibernate ORM? That seems dubious to me...