GetInstancePolicySpi.implies returns 'true' when the ProtectionDomain of the caller is the same as its own. That is normally correct, except in this case the test is set up improperly.
The test (GetInstance) and the policy implementation (GetInstancePolicySpi) both reside in the same domain. Because of the domain check (described above), checks against GetInstance should have failed, but actually passed. This wasn't noticed because a failure was actually detected - it was against jtreg's domain (not against GetInstance's domain). When jtreg was given AllPermission, the failure disappeared so the test began to report errors.
The proper way to set up this test is to separate GetInstance's domain from GetInstancePolicySpi's domain. This is a painful change. Instead, we can cheat. GetInstancePolicySpi only needs that special domain check to avoid recursion (if it itself causes a security check). Fortunately, that doesn't occur in this test case. Therefore we can eliminate the domain check entirely, causing checks against GetInstance to fail as expected.