Sounds like, and I was glad you shared what you found!
I still think using tokens on everything is wise, even when it is an internal tool. We also will often use a service with a low cost or free tier that content moderates when it is a public form or comment area. https://sightengine.com/pricing is reliable and fast & if you have a lower-traffic site (under 500 content checks a day), it costs nothing.
I suppose combining/concantanating Summernote fields in layouts later could pose some risks if someone was reeeaaaly trying.