I had the same issue with adapting sling XSSAPI. If you use the (meanwhile deprecated) com.adobe.granite.xss.XSSAPI it can be adapted without any problem. You can also adapt it right from sling request.
So this is what has changed and the reason it is failing now, in AEM 6.3 the 'com.adobe.granite.xssprotection' bundle wraps the 'org.apache.sling.xss' bundle and exposes its API with two versions:
In AEM 6.5 the decision by our R&D team was taken to update the 'org.apache.sling.xss' API version to 2.0.1 only. Since now the 'org.apache.sling.xss' bundle allows configuring from where the AntiSamy policy is read, this essentially removes the need for the bundle to be wrapped by the Granite API. Thus now in AEM 6.5 'com.adobe.granite.xssprotection' bundle does not wraps the 'org.apache.sling.xss' bundle. The 'org.apache.sling.xss' bundle is now provided as a individual bundle in AEM 6.5.
As an affect of this change, the classes or scripts referring XSSAPI should be adapted in order to get their 'org.apache.sling.xss.XSSAPI' reference through OSGi dependency injection. Something like  should be used in place of .
If this is not possible, then the deprecated com.adobe.granite.xss.XSSAPI should be used.