I agree with Starr about having your own Gem repository available for the code you want to deploy to your servers.
However, I don't think this solves the initial problem, and that is that you have to develop a trust with the people writing the Gems.
For the Rails gem, I'm just going to trust those guys, because of their track record, but for a random gem writer with their first Gem, I'm going to read the code of that gem to ensure that it does what it says it does.
Having your own gem server doesn't remove this step, but it does put a roadblock in to stop a gem writer putting in bad code once you've decided to use it.
So this is a 2 step process:
1. Read the Gem code (or trust some other way)
2. Create a Gem Server to isolate from un-wanted updates
However, I don't think this solves the initial problem, and that is that you have to develop a trust with the people writing the Gems.
For the Rails gem, I'm just going to trust those guys, because of their track record, but for a random gem writer with their first Gem, I'm going to read the code of that gem to ensure that it does what it says it does.
Having your own gem server doesn't remove this step, but it does put a roadblock in to stop a gem writer putting in bad code once you've decided to use it.
So this is a 2 step process: