As the Confluence 7.15 version sets the xstream.allowlist.enable as true by default in the development mode that requires to use the xstream-security module.

When using compat-lib, xstream-security module seems not work with the given explanations in https://confluence.atlassian.com/doc/xstream-1-4-upgrade-1026045605.html

Cause
It is found that security-module registration event registers the security module with core's and plugin's XStream, but not compat-lib's XStream reference.
As part of quick solution, Confluence team would try to lazify the XStream reference in XStreamManagerCompat class.

That provokes:
com.atlassian.confluence.api.service.exceptions.ServiceException: Could not deserialize object as XStream might not be properly initialized

Workaround
If Confluence is running through amps, configure confluence JVM sysprop `xstream.allowlist.enable` to `false` using systemPropertyVariables. Please read more about setting system properties on its amps documentation.