The method ProxyFactory.createProxyClass switches to ProtectionDomain to weld if proxiedBeanType is of type java.lang.Object.

ProtectionDomain is used in regardless of proxiedBeanType being Object . It's just that in case of Object we know that we had to place the proxy in our own package, hence we use ProtectionDomain of ProxyFactory.

I also don't understand what they try to archive with Typed and Vetoed implementation of the Config interface.

Neither do I, this way, their Config bean is gonna be Object only and vetoed on top of that.

Also, probably due to my lack of experience with java security, I lack to see how ProtectionDomain leads to signed jars? Feels more like security manager and permissions thingie then class signer verification to me.