Consider a closure attempts to call methods/properties like the following:

class Foo { def foo() {} }
def c = { -> foo(); }
c.delegate = new Foo();
c();

script-security currently tries to check the access at GroovyObject.invokeMethod. For example, the above would be rejected like this:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (Script1$_run_closure1 foo)

This is hardly useful, because GroovyObject.invokeMethod is too generic to whitelist. It's much more sensible to figure out where this call is actually handled (in this case Foo.foo, then check the access of the target (in the case above this would have been allowed via ClassLoaderWhitelist)