I think one fundamental problem is that you can’t detect programmatically if a string needs to be escaped or not.
For instance, the sequence & might be an already escaped & or it might be the text to tell you how to escape an ampersand and needs to be converted to &
That's a problem which Python can't solve. This is up to the consumer of InterpolationTemplate.
Regards,
Thomas
Promoting sloppy coding by handling the most common cases is the way to it easier to create security vulnerabilities.
Maybe if escaped strings had a different type than unescaped strings, but then you need a bunch of different types for different rules for escaping.