Agree. Too easy for folks to create vulnerabilities by evaluating those arguments as if they were trusted.

They still work in the CVE-2021-45046 context lookup vector.

My understanding is this is true if you've simply disabled them with the config flag to 2.15, but is not true in 2.16?

That applies to the <2.15 mitigation for disabling message lookups. That mitigation for message lookups does not affect context lookups. Nor does the 2.15 fix for disabling, nor the 2.16 fix for removing message lookups.

But 2.16 disables JNDI lookups entirely, so that they cannot be triggered via any lookups, including context lookups. But context lookups can still trigger other non-JNDI lookups.