Is it possible under any circumstances for a leak in a Java application, for instance a Tomcat servlet app, to exceed the allocated memory and use additional system memory, or is the allocated heap for the JVM truly firewalled (so to speak) from the (rest of the) OS/Kernel memory? I am working in 2.6 Kernel Linux with Java 6 and 7, but this is more of a general question.

Yes - it's possible. Java memory area is divided into few regions - heap and permgen are not all of them. There are also areas for code cache and native memory, which is quite popular for all of-heap structures. Please take a look at slide 7 of this presentation