If there is a security manager, its checkConnect method is called
with the proxy host address and port number as its arguments. This
could result in a SecurityException.
Just configure the security manager to prevent unproxyed connections.
Even if all Java connections are proxied through Tor, it is still
possible to read the end user's IP address locally and submit it to the
server that originated the applet. Java, along with all other browser
plugins, should be disabled.
By the way, I just had another look at Roger and Mike's warning on the
download page (it's now repositioned above the download links). I think
it's very well done. Good work!