I think you have a false presupposition. The output of a CGI program is not further rescanned under Apache. (Dunno other servers, but don't think so there either.)

The problem is not because a CGI script is displaying SSI. The problem is when a CGI script has made an HTML file that then is processed, with SSI enabled (via mod_include instead of mod_cgi). That's where it'll get ya.

-- Randal L. Schwartz, Perl hacker