How WordPress sanitizes post content on save? Or it doesn’t?

Safe against/for what? Is “a legitimate user can input any HTML” a safety issue?

If you might handle data from kind-of-but-not-really trusted users, how about giving admins the possibility to define which tags/attributes to strip out (optionally: per user group / role) and your plugin does the rest, or run the content through a filter where they can implement their own logic with add_filter?

tech