See https://mail.openjdk.java.net/pipermail/jdk-dev/2021-May/005616.html

"We have updated the JEP with a few changes to the "Issue Warnings" 
section [1], summarized as follows:

If the Java runtime is started without setting the system property 
'java.security.manager' then a custom Security Manager can be installed 
dynamically by calling System::setSecurityManager, just as in Java 16. 
No UnsupportedOperationException will be thrown. This call will, 
however, issue a warning message explaining that the Security Manager is 
deprecated and will be removed in a future release.

We plan to change the default value of the 'java.security.manager' 
system property to "disallow" in the next release, i.e., Java 18. That 
will cause System::setSecurityManager to throw an 
UnsupportedOperationException in Java 18.

With these changes, the process of deprecating and eventually removing 
the Security Manager will be consistent with our treatment of past 
breaking changes such as, e.g., the strong encapsulation of internal 
APIs. Maintainers of libraries and applications will be given fair 
warning before any existing code is broken."