[eluser]Matthieu Fauveau[/eluser]
Even if it's not documented, CI can filter $_SERVER throught xss_clean if you put the second parameter to TRUE. But I believe you know that if I read you correctly.
It might be a matter of performances that CI do the _clean_input_data only on $_GET, $_POST and $_COOKIE...