The DJVM's Whitelist object is a relic from the original code-base where we attempted to rewrite only some of the java.* classes. The modern DJVM is very specific about which classes can and cannot be whitelisted, which means that this should no longer be user-configurable.
Alternatively, there are a few cases when the rules-based byte-code rewriting may have problems at runtime, e.g. poor performance. Therefore we also need to be able to inject carefully chosen hand-crafted classes into the sandbox's root configuration without their byte-code being modified.