Default SecurityManager preventing worst-case? (Score 2, Interesting)

I'm running a default 1.5.0_07 build on PPC OS X, with the MRJ plugin for Firefox, and I was watching the Java console when I tried his sample evil popup; I've put the stack trace below, but the gist is that

java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)

it wouldn't let the window be always on top, and indeed it wasn't; I could use my desktop and other apps pretty normally. This isn't the default security policy?

~Jesse

Wed Aug 08 11:57:08 EDT 2007 JEP creating applet FullScreen (http://evil.hackademix.net/fullscreen/classes/)
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
        at java.security.AccessControlContext.checkPermission (AccessControlContext.java:264)
        at java.security.AccessController.checkPermission(Acc essController.java:427)
        at java.lang.SecurityManager.checkPermission(Security Manager.java:532)
        at java.awt.Window.setAlwaysOnTop(Window.java:1358)
        at FullScreen.start(FullScreen.java:30)
        at sun.applet.AppletPanel.run(AppletPanel.java:418)
        at jep.AppletFramePanel.run(AppletFramePanel.java:176 )
        at java.lang.Thread.run(Thread.java:613)