RE: EJB encapsulation (data hiding) pattern... Is there such a thing?

[Jason Smith]

If you have control over the deployment & assembly maybe you can use the
"run-as-specified-identity" security configuration for your Person, then
only allow that role to invoke methods on Phone.  I may be way off base here
since I have never tried to do this, but I thought I would throw it out.
-jason