I think it's too much effort for too little gain.

The motivation feels very weak; surely writing

  os.system("echo " + message_from_user)

is just as easy (as is the %s spelling), so the security issue can hardly be blamed on PEP 498.

I also don't think that the current way to address such security issues is a big deal:

- The subprocess module is complex for other reasons, and a simpler wrapper could easily be made;

- Database wrappers have forever included their own solution for safely quoting query parameters, and people who still don't use that are not likely to care about i-strings either.

- Logging: again, it's hard to beat the existing solution, which mostly comes down to using %r instead of %s for any user-supplied or otherwise unverified data.

- HTML quoting is an art and I'm skeptical that the proposal will even work for that use case.