Closures are currently created as a package-private class thanks to a single constant zero that gets passed in, which then get accessed by the org.codehaus.groovy.reflection.CachedMethod class.
When running Groovy within a Security Manager, this requires an extreme permission to be enabled: suppressAccessCheck. This permission enables reflection-based code to access methods that they have no "right" to access.
The associated PR changes the constant zero to ACC_PUBLIC, which means that the class becomes public rather than package-private. By making this change, no special security manager permissions need to be applied, thus making Groovy less of a risk. For what it's worth, the value of 0 seems more arbitrary than intentional and public seems to be the more appropriate access level for a Closure.