Are JKS (Java Key Store) files encrypted? Do they provide full protection for encryption keys, or do I need to rely solely on access control?
Is there a way to ensure that the keys are protected?

I'm interested in the gritty details, including algorithm, key management, etc. Is any of this configurable?

They are encrypted.

The algorithm is provider dependent. The provider will return the key/certificate based on a password. If you need strong security, find a keystore provider that uses a strong encryption.

To be more precise:

• PrivateKeys and SecretKeys within a JKS file are encrypted with their own password.
• Integrity of trusted certificates is protected with a MAC using the key store password.
• The file as a whole is not encrypted, and an attacker can list its entries without the key store password.