Good thread and great comments! You're right, improving the security around CPAN would help and it would be labor intense. CPAN offers a lot to Perl users, but there are significant risks.

Take Moose/Moo for example. Once you know how to build a Perl object without them, you can see the advantages they bring. Then you have to think through the trade-offs; is the benefit given worth the personal effort required? Once you go outside of OS provided packages you have to keep OS and CPAN installed modules separate, and that can become a real challenge. If your application needs a lot of CPAN you probably want to look at compiling your own Perl and completely moving away from the OS provided packages. My desktop provides Perl 5.32 and I do CPAN installed to /usr/local. It will cause a problem if I use a lot of CPAN, so I avoid that. Other places I provide code for are limited to a much older Perl, and I have to package any module my application uses. Thus I use few. Think about how much you want to share your code, and what someone would have to do to use it. The easier you can make it for your user the higher chance you have of your code being used.

You can also look at virtualenv and carton; they may give you what you need. I do not use them because they add more administrative overhead than I want to deal with.