The implementation of processEntityDescriptor in EntityFilterList has a short-circuit optimisation when the designated entity ID list is empty:
Returning false in this way means that the entity being processed should not be filtered out.
This is the correct behaviour for the case when blacklisting (i.e., when whitelistingEntities = false) as if we are blacklisting nothing then we want to retain everything.
However, if we are white listing, this is the wrong thing to do; if we are white listing nothing then we are black listing everything, and we should always return true.
We can fix this by saying return isWhitelistingEntities(); instead (I think!) but another option is probably to remove the "optimisation" here and rely on the subsequent explicit code to do the right thing. We could refactor that other code to pull the test against the set up front, but I'm not sure whether there is such a need for speed here that it's worth obfuscating what is going on.