Hi Cameron,
I have some fresh experience regarding this from yesterday. I managed to get the Youtube portlet work by adding the following to liferay-plugin-package.properties:
security-manager-enabled=true
security-manager-files-read=\
 ${java.io.tmpdir}${file.separator}-,\
 ${liferay.web.portal.dir}${file.separator}html${file.separator}taglib${file.separator}-,\
 ${liferay.web.portal.dir}${file.separator}html${file.separator}themes${file.separator}-
security-manager-files-write=${java.io.tmpdir}${file.separator}- 
security-manager-get-bean-property=\
 com.liferay.portal.util.PortalUtil,\
 com.liferay.portal.kernel.deploy.hot.HotDeployUtil,\
 com.liferay.portal.kernel.util.PropsUtil,\
 com.liferay.portal.kernel.servlet.DirectRequestDispatcherFactoryUtil,\
 com.liferay.portal.kernel.cache.key.CacheKeyGeneratorUtil,\
 com.liferay.portal.kernel.servlet.DirectServletRegistryUtil,\
 com.liferay.portal.kernel.configuration.ConfigurationFactoryUtil,\
 com.liferay.portlet.PortletPreferencesFactoryUtil,\
 com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\
 com.liferay.portal.kernel.cache.CacheRegistryUtil,\
 com.liferay.portal.kernel.dao.shard.ShardUtil,\
 com.liferay.portal.kernel.staging.LayoutStagingUtil,\
 com.liferay.portal.kernel.dao.db.DBFactoryUtil,\
 com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\
 com.liferay.portal.security.auth.AuthTokenUtil,\
 com.liferay.portal.kernel.util.HttpUtil,\
 com.liferay.portal.service.permission.PortletPermissionUtil,\
 com.liferay.portal.kernel.util.HtmlUtil,\
 com.liferay.portal.kernel.util.LocaleUtil
 
security-manager-services=\
 com.liferay.portal.service.GroupLocalService,\
 com.liferay.portal.service.PortletPreferencesLocalService,\
 com.liferay.portal.service.LayoutLocalService,\
 com.liferay.portal.service.LayoutSetLocalService
If you don't see the error messages about the missing classes then you need to set the log level of BaseChecker to WARN. As this didn't work for me, I caught the Caught/Uncaught SecurityExceptions using the debugger in order to see what classes I need to add.
Regards,
Gábor