Safely using String for passwords by using reflection to scrub contents prior to garbage collection

Question

Does using reflection to scrub a String make using String as safe as using char[] for passwords?

From a security aspect, it is

Answer 1

One argument I have against String is that it's just too easy to inadvertently make a copy. Using strings safely is possible in theory, but the whole library ecosystem is based on the assumption that it's perfectly OK to copy strings. In the end, considering all the restrictions, strings may not be as convenient for this use case as they generally are.