The standard Java Reflection API is actually limited to introspection. It does not allow dynamic, runtime creation of new classes (it allows dynamic creation of new instances). It does not allow one to add new methods or fields to classes or to change the types or behavior of existing fields and methods (although conceivably, with a custom ClassLoader, one could generate new classes dynamically at runtime and have more powerful reflection).
It cannot be used to circumvent the Java language access properties (private, final, etc.) except in the case described above in ``Overriding Security.'' Because the Reflection API only distinguishes between public and non-public fields and members, access to a field or method using reflection might be denied which would have been possible by compiling a direct use (since package and protected are also treated as private through reflection).