NH 3.2 has a bug in the default proxy factory (not sure if it's been reported). The generated proxy assembly does not pass peverify because the proxy type constructor calls object::ctor instead of the base type (entity) constructor. This means that lazy loads are limited to full-trust policy.
I fixed the proxy factory to emit call the "real" base type constructor, but this would have the side-effect of preventing constructor DI in entities. Then I added a new provider and contract (DefaultEntityInjector and IEntityInjector) so that DI is supported out-of-box by providing an implementation. The implementation simply needs to provide the constructor arguments for NH's call to Activator.CreateInstance.
I added a test project that demonstrates default constructor, interface based proxy, and non-default constructor cats. Also, peverify reports zero errors on the dynamic assembly. This has also been tested in a pseudo-medium trust environment. The required reflection permissions above default medium are emit & protected member access.
A pull request has requested from https://github.com/nhibernate/nhibernate-core/pull/2