I figured out what's going on.
There are org.jvnet.hudson:commons-jelly and there's now org.jenkins-ci:commons-jelly. As they have different groupIDs, Maven think of them as different artifacts, both ships in the war, and which one "wins" in the classloader at runtime is rather undeterministic.
So it must be that our RC soak run with the right version, but for some environments, the bad one wins, and this fiasco ensues.
I'll write a Maven enforcer rule to catch this.
This also means that some of the the "fixes" later made (such as 6523693e804bd786bc74a0354b3326ec2a8a0323) was actually unnecessary (even though they aren't wrong.) I'm thinking of mandating XSS prevention PI in all jelly views in the core, so I'd like to restore them.