From what I know, there is some reflection in the code.
This reflection is used to look at what 'authorization/roles' attributes are set on the controller method. This let's it know if access to that method is allowed and if it should show that controller. Maybe there is a better way of doing
I proposed an alternative method (closed in issue tracker), but maartenba looked at it and said it would not work right now...not sure why.
Additionally, if you ONLY used hand keyed roles in the sitemap and were not relying on the authorization in the controller for determining site map access, you could remove this code and then it may work in partial trust?