The Apache Tomcat 8 Configuration Reference states that the default value for org.apache.catalina.connector.RECYCLE_FACADES = false. However, the Security Considerations web page says:
Setting org.apache.catalina.connector.RECYCLE_FACADES system property to true will cause a new facade object to be created for each request. This reduces the chances of a bug in an application exposing data from one request to another.
Because the default value is the less safe value, I wonder why. I assume that part of it has to do with performance, but I haven't seen much discussion on RECYCLE_FACADES. What are the drawbacks of setting it to true?
The primary disadvantage of setting org.apache.catalina.connector.RECYCLE_FACADES=true is performance. Tomcat re-uses as many objects as possible across requests in order to reduce GC churn (that is, repeatedly creating and discarding many objects). There is no performance difference due to the use of these objects -- only the discarding and re-creating cycle that reduces performance.
The default setting is not "unsafe" per se, but applications with bugs can cause Tomcat to appear to do very strange things. So if applications aren't breaking any rules, then the higher-performance configuration should be preferred.
If you don't trust the applications that are running on your Tomcat instance, you should definitely enable RECYCLE FACADES.