Yes, I am familiar with that. But consider how
applets work in that context: An applet can't connect to any server except the one it was downloaded from. So far so good, no cross-domain access. Until you sign the applet, that is. Then it can connect to anything in the world. So it's an all-or-nothing choice.
I think it's the same with JNLP; there's an "all-permissions" element (I think) in the JNLP file which acts pretty much the same as signing the applet. All or nothing there, too.