This rule is meant to prevent the unintentional serialization of sensitive information. SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary applies to the intentional serialization of sensitive information.
It is still possible for an attacker to obtain uninitialized instances of
SensitiveClass by catching
NotSerializableException or by using a finalizer attack (see OBJ11-J. Be wary of letting constructors throw exceptions for more information). Consequently, an unserializable class that extends a serializable class must always validate its invariants before executing any methods. That is, any object of such a class must inspect its fields, its actual type (to prevent it being a malicious subclass), and any invariants it possesses (such as being a malicious second object of a singleton class).
SER03-J-EX0: Sensitive data that has been properly encrypted may be serialized.
Puzzle 83, "Dyslexic monotheism"
Item 1, "Enforce the Singleton Property with a Private Constructor"
Section 2.4, "Serialization"
Serialization Specification, A.4, Preventing Serialization of Sensitive Data