This is what the documentation that comes with the JDK is for, folks; this is all explained very clearly, for example,
here. This, like many other things, is handled by the installed
SecurityManager. If there is no SecurityManager installed -- and when you start up the plain old command-line java.exe, there is not -- then this check isn't done at runtime. If you want the check to be done, then you need to install a security manager, which you can do by using "-Djava.security.manager" on the command line, as in
java -Djava.security.manager MyApplication
If you add this command-line switch when trying your experiment above, you'll see it fails. The default SecurityManager implementation properly enforced access modifiers.
Java applications that can host potentially untrusted code -- any kind of container, like an
applet container,
servlet container, RMI server, etc -- should (and does) install a security manager to handle this sort of stuff.