The default SAXReader in the new dom4j version, has these security defaults.
I think it would be a good idea, not to use fewer security SAXReader features than the default one.
Maybe additional features are needed.