java rmi -Djava.rmi.server.hostname=localhost still opens a socket listening on 0.0.0.0

I assumed that if I set -Djava.rmi.server.hostname=localhost it should only be listening on 127.0.0.1

No.

Am I misunderstanding what java.rmi.server.hostname controls?

Yes. java.rmi.server.hostname has nothing whatsoever to do with what IP address the remote object listens on. That is determined by the RMIServerSocketFactory.

To correct the misquotation from my book in another answer (subsequently deleted):

java.rmi.server.hostname: Hostname string; default value is the local host's IP address in "dotted-quad" format ... which is embedded into remote stubs created by this JVM when remote objects are exported. This can be used to control the effective IP address of RMI servers exported by multi-homed hosts. This property is read exactly once in the life of the JVM.[1]

To expand on that, it can also be used to control the effective IP address (as seen by clients) of RMI servers exported by hosts that are behind NAT devices. It doesn't necessarily have anything to do with the local host, e.g. in NAT situations, and it can be either a hostname, a dotted-quad IPv4 address, or an IPv6 address.

[1] Pitt & McNiff, java.rmi, The Remote Method Invocation Guide, Addison Wesley 2001, p.258.