XMLEscapingTemplateEngine compiles a script with uberClassLoader. When SandboxTransformer runs and generates all sorts of references to Checker.checkedCall(...) and etc., these symbolic references are resolved against uberClassLoader.

If another plugin happens to have groovy-sandbox.jar (like email-ext plugin does), then these calls will resolve against that, which means none of the interceptor will be invoked.

script security plugin needs to set a custom parent classloader so that references to groovy-sandbox will always be resolved to the one visible from script-security.