Using valueOf from known classes (Boolean.valueOf , etc.) are allowed (see source generic-whitelist).

But for custom Enum, we have to approve. Now because we cannot override valueOf, this method is very secure. Because we can't authorize all valueOf from all existing Enum in the world, we could just allow Enum.valueOf(Class<T> enumType, String name).