I am on the opposite spectrum of this opinion. We had to write our own library on-top of the basic Royale for our applications that was more security minded. All of our defaults are for innerText as it will not interpret the contents or use new variants that already have security built it such as a textarea's "value" has security considerations by default now. This is important as cybersecurity teams or software tests can easily show basic XSS in fields either reflected or stored. Remember the end users are the ones that are directly affected by vulnerabilities built into a web application and a developer that does not follow good sanitization practices will surely allow easily preventable vulnerabilities in.
We should always have secure defaults, but allow developers to violate good security practices on their own as a conscious decision. -Mark K
