You own a Java service that processes protected health information and decrypts short-lived credentials to call internal APIs. During a recent production incident, the service showed repeated GC pauses, rising heap usage, and a heap dump captured by diagnostics contained sensitive request fields and decrypted token material. The service runs in containers, scales horizontally, and is expected to fail safely under memory pressure without exposing data.
How would you manage memory in this Java application so it remains stable under load and reduces the chance that PHI or secrets are exposed through heap dumps, logs, crash artifacts, or long-lived objects? Be explicit about the JVM, application design, and operational controls you would put in place and how you would verify they work.