Initial pass through the source code shows Privileges to be unmodifiable. AccessControlManagerImpl has a hard dependency on it as well, so I can't factory my own version. AccessControlManagerImpl is similarly constructed bare inside the JcrSession. Why aren't these implementations factoried in a why that we can customize?
Why aren't these implementations factoried in a why that we can customize?
Because they represent the implementation of JSR-283's ACL feature which wasn't meant to be extended and which supports only the standard privileges: http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html
On the other hand, you have the option of not using ACLs and fully implementing & plugging-in the logic which performs node/operation authorization. See Custom authentication providers - ModeShape 4 - Project Documentation Editor and modeshape-examples/modeshape-custom-security-example at master · ModeShape/modeshape-examples · GitHub. These should offer enough flexibility to integrate with any custom security logic.