First, you can use <Perl> sections to configure Apache. But I believe you can only do this in the httpd.conf & PerlRequire files. <Perl> sections are very cool, but from what I've seen to have some bugs you might have to work around. I've never used them personally, but many folks do. They work well, and can save lots of tedious work in httpd.conf

To answer your second question, yes, your users can potentially use the mod_perl API to do nasty things. You can read some of the configuration through $r->server->xxx methods. See pg 455 in the Eagle book.

Depending on how much power you grant to .htaccess files, you can do some interesting things in setting PerlHandlers. The major problem is that everything is cached in RAM. And there are ways to get to the stored values.

Bottom line: if you trust the users on the system, go for it. If you're worried about kiddies, you should forgo mod_perl. I hope some of these potential security problems are addressed in mod_perl 2, but I don't know.