This turned out to be an interesting issue. The FastInfoset format, defined in http://www.itu.int/ITU-T/asn1/xml/finf.htm, is based on the XML information set concept described in http://www.w3.org/TR/xml-infoset/. The XMLinformation set is an abstract representation of a parsed XML document, and, as such, does not include a representation of external entities in the DTD section. Instead, an external entity is either expanded, in which case it does not appear after parsing, or it is not expanded. In the latter case, the information set has a representation of an "unexpanded entity reference", which includes PUBLIC and SYSTEM references. It follows that the FastInfoset format also not have external references in the DTD section, just unexpanded entity references. It seems that these unexpanded entity references don't fit well with existing XML parsers, and every treatment of FastInfoset documents that I could find seems to just ignore them. It follows that they are not subject to XXE attacks. So for this issue, I added unit tests that verify that unexpanded entity references remain unexpanded, in case future treatments no longer ignore them.
It also turns out that the changes in the JAXB provider to guard agains XXE attacks interfered with the FastInfoset provider classes, so they override the suppressExpandEntityExpansion() method so that the unmarshaller wrapping in the JAXB provider is avoided.