@nickfmc – thanks for raising this again. It’s certainly a valid and topical point. In essence, EVERYTHING should be escaped on output – as per earlier links in this post.
@elliot as per previous comments, I think it’s really crucial that the documentation is updated to make users aware that data is not escaped automatically (& indeed, couldn’t be, as it will depend on context).
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users