Instantiating the java.lang.Class object for a class is probably not terribly risky, but there are certainly scenarios where untrusted classes could be loaded... if their static initializers are run, there is an opportunity for Bad Things to happen.
But if you were worried about such a thing, you'd use a ClassNameMatcher instead.
To improve performance, one could keep a lookup table of className -> java.lang.Class that you update only when the class name is acceptable. That would allow you to safely perform type-checking in a ClassMatcher, but only under certain conditions.
For instance, let's say that I am willing to allow java.util.List and anything that implements that interface (dangerous, but illustrative). If I have a com.foo.SpecialList, the only way to check to see whether com.foo.SpecialList will be acceptable is to check the class hierarchy to see if it implements that interface (or any others registered, of course). I don't see a way around this unless you want to use commons-bcel to inspect .class files without formally-loading them into the ClassLoader and risking the execution of their static initializers.
Without something like a ClassMatcher, it will often be very difficult to specify every possible class that you might want to allow for deserialization.