In the light of the modularization effort it would IMHO make a lot of sense to refactor oak.spi.security.* into a separate module/bundle that could be release independent of oak-core.
As far as I could see so far this is currently not easily doable due to the dependency of oak.spi.security.* on oak.plugins.tree, which in turn relies on o.a.j.oak.query.QueryEngineSettings and other oak-core internals (see also
OAK-6304). Most likely this issue would therefore require a complete review (and possibly a split) of the oak.plugins.tree package space which contains a mixture of utilities and 'API' (like e.g. TreeContext and TreeLocation)... will open a separate issue for this linking to this one.