...
Classes and class members should be given minimum possible access so that malicious code has the least chance of compromising their security. As far as possible, sensitive classes should avoid exposing internal functionality through interfaces because interfaces allow only public methods, and such methods carry forward to the public Application Programming Interface (API) of the class. An exception is implementing an unmodifiable interface that exposes a public immutable view of a mutable object (SEC14-J. Provide sensitive mutable classes with unmodifiable wrappers). Additionally, note that even if a non-final class's visibility is default, it can be susceptible to misuse if it contains public methods.
The protected accessibility is illegal for defining top-level classes, though nested classes can be declared protected. Fields should rarely be declared protected because untrusted code in another package may subclass the class if it is public and non-final and access the member. Furthermore, protected members are part of the Application Programming Interface (API) of the class and require continued support. If this guideline is followed, there is no need to declare a field as protected. The guideline OBJ00-J. Declare data members as private and provide accessible wrapper methods recommends declaring fields as private.
If a class, interface, method or field is part of a published Application Programming Interface ( API ) such as a web service end point, it may be declared public. If not, it should be declared either package-private, protected or private. For example, classes are encouraged to provide public static factories to implement instance control with a private constructor provided the class is not security critical.
...