It doesn't look like it's a part of the standard API though. That looks like it's some sort of framework API for Oracle Fusion. It's also not open source.

Those are primarily for in-memory security. They apparently uses a "known default key" in its serialized form. At least when it comes to logging, that's more like obfuscation than security.

According to its documentation, you can’t directly log a GuardedString because it doesn’t implement the toString() method. You have to pass it an accessor instance through its access() method to extract the plaintext.