2.4.4 works fine with and without security manager.

When does SM come into play? It shouldn't be making a difference if we talk signed packages, or am I wrong?

I would agree, but it worked for us for the last ~2 years.

Were your packages signed even before? I can't see how that worked - it would need to blow up during package verification, unless you somehow skipped that?

Ideally, would you have a reproducer? That's probably the fastest way to determine what's happening