When Geotools initializes a feature backed by a jdbc datastore, it needs to load metadata regarding the features. These queries are done by concatenating string variables to otherwise fixed SQL queries. This is both dangerous and slow. The strings may contain control characters that affect the query and the database needs to create a new execution plan for each query even though the basic query is fixed. Using prepared statements and injecting parameters via PreparedStatement.setString() fixes both issues.
GeoServer with tens of featuretypes backed by multiple oracle datastores