The issue is preventing pointers to the real stack on the real stack. I'm pretty sure you can't do that reliably at the LLVM IR level, since as I said such pointers can be introduced during code generation. In fact, I just looked at the source to the merged pass, and it doesn't even try - it only checks if stack pointers are passed to calls, but e.g.
int *p = cond ? &a : &b;
...later enough that this isn't trivially optimized into two stores...
*p = 1;
will probably not be flagged (it depends on what optimization passes have run before the SafeStack pass), but will put the pointer in the stack or a register that may be saved.