I'll use \U as an example, because it's slightly less mind-bending to follow what's going on. But the same thing applies to all three directives (and it's really only \Q that I'm really interested in).

I think \U has to do with string interpolation rather than with actual regexen. In fact perlre says:

Because patterns are processed as double quoted strings, the following also work:

Now all is fine, but the cure is worse than the disease. Any person reading the code will quickly spot that they could have a lot of fun by specifying a pattern such as /.`rm -rf /`./ and then you are in a world of pain.

At this point, the only way out of this conundrum that I can see is to either hand parse the pattern (erk) or use a Safe compartment (re-erk).

I'm not sure how relevant this may be to your security concernes, but it is often said that allowing arbitrary regexen to be passed in is risky in any case. And it also known that Safe.pm itself has holes that experienced hackers (certainly not me, that is!) can exploit, due to it being more of an afterthought than something designed into the language ab initio.

Just my two eurocents.