I think it's simpler: don't touch untrusted content unless/until you need to.