by signing your objects with LDS or another scheme, it allows a hostile implementation to boost them even if they are not public (!)
if you do not sign your objects, then they will have to be referenced with a pointer, these pointers are known as "capability URLs" and allow for your instance to make the access control decision (your code can either give them the object or not based on what they gave you)
if you do not sign your objects, then they will have to be referenced with a pointer, these pointers are known as "capability URLs" and allow for your instance to make the access control decision (your code can either give them the object or not based on what they gave you)