Is there a way to globallly apply esc_html( … ) to all inputs and anchors to filter out XSS markup?
No, by the time you have output it’s too late, any damage has already been done.
Even if you could do this, you wouldn’t want to, escaping is highly contextual. Escaping is about enforcing assumptions, e.g. <a href="<?php echo esc_url( $url ); ?>... forces $url to be a URL even if it isn’t. No more it should be a URL, it will always be a URL. It might be a mangled URL but it’s guaranteed to be a URL. esc_html isn’t a catch all escaping function for all occasions.
By the time you have HTML, it’s too late to apply escaping, and you have no context to figure out which escaping function can be used.
You could go over the HTML with a DOM parser but this would do nothing to prevent HTML tag injection or XSS attacks. It also wouldn’t be able to apply escaping as the values are already there, the most it could be is sanitising and validation, which are not escaping. wp_kses_post can be used to whitelist valid tags but WordPress already does this, and doing it on the_content filter would break embeds and other content that use legitimate tags etc
Likewise plugins that try to do this cannot be trusted, it’s not something that can be done. There is no general automatic escaping that can be applied in PHP after the fact, it has to be done on output to be safe and reliable.