...
The guideline CON04-J. Synchronize classes that may interact with untrusted code using a private final lock object recommends documenting the locking strategy of classes designed for inheritance. This information is useful for deciding the locking strategy of subclasses.
...
This compliant solution does not violate CON04-J. Synchronize classes that may interact with untrusted code using a private final lock object because the accessibility of the class is package-private which is allowable when untrusted code cannot infiltrate the package.
...
This noncompliant code example defines a doSomething() method in class Base that uses an internal private lock, in accordance with CON04-J. Synchronize classes that may interact with untrusted code using a private final lock object.
...