Is it good system design to allow objects to communicate via secret protocols? Is it possible to prevent them from communicating thus?

Collusion is a pejorative word describing agents working together to some other’s detriment. Keykos and other good capability designs are able to prevent communication between objects, even objects defined by the same code. When agents have legitimate access to each other, however, it seems impossible to prevent them from passing secret signals. At best it may be possible to prevent them from passing capabilities, and then only in a weak sense.

Where collusion cannot be prevented it seems wise to make it efficient, for there are legitimate uses of such privileged communications. Indeed capability systems often provide some form of sibling communication under some name. In C++ and Java one instance of a class may directly access fields of another instance of the same class, but only via some reference to that other instance. This is efficient sibling communication when we view an instance reference as a capability.

In Keykos there is no such primitive sibling communication but a domain creator, which is generally available to its progeny, is able, given a weak start key to one of its progeny, to provide a strong start key to the same. Via the strong key, messages may be passed between instances which are recognized as coming from a confederate and thus deserving a privileged response. The domain creator is generally accessible to its progeny.

Java and C++ have static variables that are accessible to each instance of the class. Thus those languages provide no possibility of instance confinement based on denial of references.

Both kinds of sibling communication provide a form of authentication as well. The object knows that the correspondent is its sibling.

Sibling communication is a form of synergy. One form of synergy usually entails the other forms so the question is broader than merely sibling communication.

On the other hand see this.