In 2016, a lot of attacks using Java deserialization happened. Many turned to JSON libraries, thought to be safer. However no library can be fully trusted when used to deserialize untrusted data!
As long as there is enough space and that user-controlled types can be invoked, attackers will be able to start a gadget chain that can lead to the execution of arbitrary code.
If you absolutely must deserialize untrusted data, make sure that you use a secure library with strict Type control ad that you never use user-controlled data for the deserializer expected type.