Java had restrictions on cross-domain access just like Javascript does and Flash did.

Users could grant applets additional permissions - but that also granted them local permissions (like reading files) which were unambiguously a security risk.