Perl, generally speaking, isn't set up to deal with security on quite that level. It will make sure it doesn't expose garbage data in allocated strings and such, but it won't zero out freed memomry or anything of the sort, so... It is definitely possible that XS (or nasty unpack tricks) could dance through a process' own memory and find sensitive stuff.

The solution to this, if you need it, is to either recompile with perlmalloc and change perl's free call to zero freed memory, or to link against a custom malloc library that did the same thing.