Unfiltered HTML in post content and title is a capability usually reserved for admins. If you don’t want to allow that for your users, don’t make them admins.
Sanitation of custom fields has to be provided by the code author. There are use cases for such fields where entering JavaScript code is a desired feature. Again, if you don’t want that, disable it.
This is not a security issue: you can control everything, and you should not install code you didn’t read and understand. That part is not WordPress specific. 🙂