rename doesn't do shell expansion. system does, but only when you pass it a single argument.

One reason to "taint check" filenames, particularly if the starting directory must be writeable by people or scripts that you can't necessarily trust, is to contain damage by preventing hacked filenames from moving downstream where they might be handled by other scripts or applications.

So it looks like what you need is a regex that will sanity check a filename given some set of rules for whatever platform you're on. (E.g., don't allow shell metacharacters).

You haven't said what you need to do if a filename flunks checking. Delete it?

if ( $filename =~ m/^(?:[A-Za-z0-9.])*$/ ) {
   rename $filename, "$newdir/$filename" or die "rename $filename: $!";
} else {
   unlink $filename or die "unlink $filname: $!";
}