Stripes does not have a single doPrivileged() code block in it. I did a full search.
Neither does log4j, and my guess is that most of the libraries that we use, don't have them either.
I'm really no security expert, but it sounds to me that the gain vs effort ratio in this effort would not be very high. Especially since most of the attacks so far seem to be XSS vectors, which really don't touch the JVM at all.
/Janne
