Artemis provides a way to restrict which objects can be deserialized. This feature should be documented. Changes are required in books Developing EJB Applications and Configuring Messaging.

Configuring Messaging
ObjectMessage may contain potentially dangerous object payload. You can restrict which objects can be deserialized in MDB using Activation configuration properties deserializationBlackList, deserializationWhiteList, where you specify list of classes that are allowed or disallowed to be deserialized.
We need to document existence of activation configuration properties for message driven beans and document information provided in first section of Controlling JMS ObjectMessage deserialization in ActiveMQ Artemis docs [1].

Developing EJB Applications
JBoss specific activation configuration properties deserializationBlackList and deserializationWhiteList should be added to table Table 4.2. Activation Configuration Properties defined by JBoss EAP in chapter 4.6. Activation Configuration Properties. For detailed description we should provide link to Configuring Messaging guide.
[1] https://github.com/apache/activemq-artemis/blob/33af9901c61798ec7b6ec2ee72b7bdf3bdca2c78/docs/user-manual/en/security.md