That would be the way to do it, with the realization that I'm trusting that no one has diddled with the session data file, presumably because I've taken other safeguards to prevent that from happening.
No the problem is that CGI::Session is managing both the session data retrieval step (using CGI::Session::File from the 'driver:File' option) and executing the de-serialization step (using Storable because of the 'serializer:Storable' option). There doesn't seem to be a good way to insert untainting code between those two steps.
Or, it seems that way. But since someone _must_ have figured this out before, I'm hoping... Meanwhile I've turned taint mode off again (this time on purpose) but know that I have to turn it back on real-soon-now.
Also, I checked the beta 4.x versions of CGI::Session, and while that code is 'better' in that the retrieve() call doesn't directly call the thaw() method, the C::S code still doesn't seem to make it any easier to add code between the two calls.