You are responsible for a Java service that handles authentication tokens and customer PII in memory while serving requests through a pooled worker model. After a recent incident review, your team found that sensitive values may have remained reachable longer than expected during GC pauses and object reuse. You need to explain how Java memory management affects both reliability and data exposure in this service.
How does Java memory management work in this context, and what would you do to reduce the risk of sensitive data lingering in heap or stack memory longer than necessary? Be specific about the trade-offs between performance, observability, and security.