Here is a basic case:

interface B {
    void foo();
}
class A {
    Object asType(Class cls) {
        assert 0; // not called
    }
}
A a = new A();
Object o = a as B;

In groovy, this would assert because "a as B" would call a.asType(B).

In sandbox, this ends up raising a security exception "Scripts not permitted to use method GroovyObject invokeMethod String Object (A foo)".

The exception is raised from org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast.  I believe the second block clazz.isInterface() is iterating over the methods of B (clazz), checking that they can be called.  But, it is passing a (exp) to the method call.  Then, that seems to throw an exception because there is no a.foo method, and it would resort to a.invokeMethod(...), which is not allowed.

It seems to be thinking that a (exp) implements clazz.  However, here, (a as B) should call a.asType(B).  Also, it would seem the previous clazz.isAssignableFrom(exp.getClass()) would be true if a implements B.  So, it isn't clear (to me) what that check is doing.

Workaround in this case, where I know that there is a custom asType, is to use a.asType(B), and that works correctly.