I fixed a few of these once upon a time in 2.6 or so to deal with an fd exhaustion issue on linux, would be willing to take on more. In that case even in success they were leaking, as opposed to only causing issues in cases of failures (more on this below).
If you have a list of cases that are used wrong (returning an InputStream isn't necessarily bad of course, since the calling code itself might have a try-with-resources), I can hit them and see what falls out.
I'm not sure copying literally every InputStream you see into a ByteArrayInputStream is a constructive suggestion, since of course to be defensive, anything given an InputStream needs to make yet another copy, or all of these APIs need to be adjusted to take ByteArrayInputStream, etc as a parameter to be clear that the stream has been closed. Is there another best practice that can make this cleaner, perhaps rewritting something like the Response interface so it implements AutoClosable so that _it_ can be try-with-resource'd?
Quickly reviewing all cases where Responses.newBinaryStreamResponse is called (transitively), all usages either return right away (so no error can happen), or com.google.gwt.dev.codeserver.WebServer#handleRequest where yes, it is possible for a NPE or something could happen prior to page-send (which then cleans up correctly in a try/finally), but that would point to rather broken code. Response can't be null, target can't be null, the logger really shouldn't throw and the response shouldn't be able to throw in setHeader). Or is there something concerning in handleRequest that you see which can surprisingly error out before page.send(...) can be reached?