If a website has more than one environment, then you need a plan anyway (again, nothing to do with taint mode) how you deploy and maintain the files in your different environments. There are many solutions for that, but I'd go for something like this:
/home/myusername/somewebsite/prod/cgi-bin
/home/myusername/somewebsite/prod/lib
/home/myusername/somewebsite/prod/templates
That is pretty much what I have at present - except the contents of lib are hung directly off cgi-bin. So doing it that way doesn't mean changing things drastically which is a good thing.
But I don't see how having the modules like this
/home/myusername/somewebsite/prod/lib/Site/HTML.pm
is anymore secure than having them like this
/home/myusername/somewebsite/prod/cgi-bin/Site/HTML.pm
as they are still accessible through HTTP as
prod/ is the web root. Of course they can be made inaccessible either through putting an
index.html file in there or through an
.htaccess file.