Checking if $^X is a valid file name doesn't make it safe. You might as well use /(.*)/s.

On the plus side, there doesn't appear to be any reason for $^X to be tainted in Windows.

use Win32::Process;

sub ErrorReport{
   print Win32::FormatMessage( Win32::GetLastError() );
}

Win32::Process::Create(
   my $child,
   'c:\\progs\\perl5100\\bin\\perl.exe',
   'evil -le"print $^X"',
   0,
   NORMAL_PRIORITY_CLASS,
   "."
)
   or die ErrorReport();

$child->Wait(INFINITE);
[download]

c:\progs\perl5100\bin\perl.exe
[download]

If you trust the perl you are running, then it looks like $^X is safe.
If you don't trust the perl you are running, then it doesn't matter if $^X safe or not.

By the way,
everything that matches qr{^[^/\0]+\z} is a valid file name in unix,
and everything that matches qr{^[^\0]+\z} is a valid file path in unix.
I don't know where you got qr{ (\A[- + @ [:word:] . / ]+)\z }x from.