Your analysis is correct, you cannot have such a guarantee.
Your program is executed by the Java virtual machine. Whatever property you want to require of the JVM, you have to ask it “does this property hold?”. So you'd be asking the JVM “do you protect my application against the people who are running you?”, and the people who are running that JVM can configure it to lie — just say “yes” even though the answer is no. At most you would require a minor patch to the JVM, and probably not even that as whoever wants to see your application run can just fire up a debugger.
The Security Manager controls separation between applications. It protects your application from other Java applications. It doesn't protect you against the JVM itself: by running an application on it, you are trusting it.
I am sometimes shocked by the blasphemies of those who think themselves pious-for instance, the nuns who never take a bath without wearing a bathrobe all the time. When asked why, since no man can see them, they reply: 'Oh, but you forget the good God.' Apparently they conceive of the Deity as a Peeping Tom, whose omnipotence enables Him to see through bathroom walls, but who is foiled by bathrobes. This view strikes me as curious. (Bertrand Russell)