Unfortunately (or fortunately?), no privilege is required to execute native functions (including SLEEP).

The SLEEP() attack can be dangerous. Think about websites: if SQL is injected into the SQL queries that read data necessary to make the home page appear, and there is no caching system, no user will be able to see the home page for X seconds.

If you don’t trust your applications, IMHO, there is only one way to prevent those attacks: on MariaDB and old MySQL versions, it’s MaxScale; on MySQL 5.7 it’s the query rewriting plugin.

Another way could be only GRANTing the permission to execute stored procedures… but if you can do that, your company has control on the applications, so simpler solutions are possible.