First, you have to understand the difference between security and good software engineering practice. The first is something you try to lock down 100%. The latter is something you try to enforce, but people have legitimate reasons for getting around it in some cases. For example, "encapsulation" is good practice, but sometimes someone might need to hack a feature in under a tight deadline...
Second, note that although by default, you can access private members using reflection, a
java.lang.SecurityManager can be installed in any JVM, and that security manager can block reflective access by policy. In a security-critical environment, this might be something you want to do.