Despite my misgivings over the thing you're trying to do -- its security implications and the impression I get that you're dealing with an XY Problem -- I played with this a little last night. I had some theories:

If I could tie using Tie::StdScalar the ${^GLOBAL_PHASE} variable to a class that warns when entering a phase other than RUN I might be able to detect what is in the pad at those other phases, to determine if other code has been executed. It was a long shot, and ultimately didn't work, because tying GLOBAL_PHASE is disallowed, because it is a readonly.

But that only would have been a kludge anyway. I might have been able to throw an exception if I entered CHECK or START, but those phases should occur any time code is evaled, so it would have led down the next problem of determining if there was custom code in those stages. That's probably nearly impossible. I hadn't really thought that part through, and it would probably never work. But as I mentioned, tie was a non-starter due to the read-only nature of ${^GLOBAL_PHASE}.

Another possibility might have been using attributes, which are phase-aware. But then how to trigger them? It didn't seem like there was a solution there either.

Plus your goal is to disallow code that has custom code in BEGIN, END, DESTROY, CHECK, INIT, and UNITCHECK phases, I think. But UNITCHECK and END don't take place within the eval. In fact, if there's an END in the eval, it gets queued up to run at end of runtime, not at end of the eval scope (see perlmod). Additionally, you really want to detect these phases before any code runs in them. I just don't see it happening.

The alternative is to parse Perl, but then you deal with the Halting Problem. Most naive approaches such as a pattern match can easily be foiled by someone embedding a simple tr/// within the eval, to hide a second level of eval behind a ROT13 cipher. It is nearly impossible to programatically grok what is going to happen inside a string eval without doing a string eval.

I just don't think you're going to find a solution that protects you from code running in phases you don't want it to. But if you're string evaling code a user gave you, global phases are the least of your risks.