Best design to limit API access for plugin?

I am building an application that has interfaces that are designed to allow people to write plugins in the form of Jar files for it, these are then loaded in from a plugin folder with a custom Classloader and sandboxed with appropriate securities. I would ideally like for those designing the plugin to be able to just include the Application.Jar on their classpath, so that they can access some static data analysis methods I have already created as well as the interfaces that the plugin must implement and to simplify the plugin creation process. These analysis methods are also used in some classes elsewhere in the application already.

However, the issue I have is that the plugin should not be able to access and create new instances of some other classes that are within the original Application.Jar.

One way I see around this is to create a PluginResource.Jar that contains the interfaces to implement and the analysis methods I want to share. My application can then put this jar on its classpath and it resolves the issue but complicates the design process for plugin developers.

I've also considered reflection and analysing what classes call object constructors but this seems unnecessarily complex.

So my question is: From a design perspective is this achievable, and if so how would you implement it?