Well, on general principle I wouldn't let developers use sp_execresultset as it is undocumented. This means Microsoft may choose to change or remove it, as they did in SQL2005, or not support it in versions where it does exist.

As for sql injection, I'm no expert but I am of the belief that a well-written interface would prevent that and not SQL iteself. SQL injection, and someone correct me if I am wrong, is an interface vulnerability and not a SQL one, per se.

I'm pretty sure the sp_execresultset stored proc runs under the authority of the current user. The current user, however, must have rights to query the master database table sysdatabases and each database to sysfiles.