Ok, it was my oversight – and s_ha_dum was almost spot on – I was kindly directed to this:
http://codex.wordpress.org/Security_FAQ#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F
which explains the situation perfectly.
In case this is of any use to anyone
I have fixed it for the site I’m working on using the wp_insert_post_data filter, like this:
add_filter( 'wp_insert_post_data' , 'filter_post_data' , '99', 2 );
function filter_post_data( $data , $postarr ) {
$data = wp_kses_post( $data );
return $data;
}
I am hoping I’ve got something wrong here, this seems very…wrong?!