The wrapper script doesn't elevate privileges in any way so if you want to touch /root/evilfile then you need root privileges. In which case you can touch whatever you like. Or am I missing something?
Also, I think in your proposal the data on STDIN would be lost, but I have not tested it either. Using eof() is a simpler way to check for data but in practice it wouldn't save anything in this case. Reading from an EOF handle shouldn't take long, and if it's not EOF then I need to read the data anyway. (Or pass it to /bin/mail some other way?)
Time flies when you don't know what you're doing