Can you explain more? I genuinely don't see any plausible threat model that a user running an Math.random() based custom algorithm password generator would be susceptible to, but the same algorithm using SecureRandom one is not. Both cases are so drastically better than manually thinking up a password that it's not even close.
I think if there's any gap it would be wrong roll your own password generator at all and you only use ones authored by security experts: just using SecureRandom instead of Random isn't going to somehow magically guarantee you didn't mess up another way and write a low-entropy password generator.
I think if there's any gap it would be wrong roll your own password generator at all and you only use ones authored by security experts: just using SecureRandom instead of Random isn't going to somehow magically guarantee you didn't mess up another way and write a low-entropy password generator.