This question is more or less the same as Restrict Certain Java Code in a Plug-In, however the accepted answer was simply to further search with Google, what I already did without having this question answered.
Effectively, I want special security constraints only for code I load via plug-ins.
When a plug-in is loaded and started, all it gets are special objects from my application with which they can interact. Plug-ins shall not be allowed to access the file system, open network connections, etc. They're only allowed to "talk" with the objects I gave them.
However my application loading/running those plug-ins should have no restrictions. In other words, the security should only be enforced to the plug-ins.
There's also a very insightful post on The FogBugz Plugin Architecture, more specifically the part about Plugin Security and AppDomains which exactly is I'm trying to achieve in Java.
Unfortunately I'm not able to answer just the question without implementation whether this is possible and what would be necessary.