Since Twig already does much of the work for us, it's also important not to go overboard with escaping. Veteran Drupal 7 developers may have a tendency to escape things like there is no tomorrow, but this can have unintended consequences. For example, imagine the following scenario:
return [ '#theme' => 'my_custom_theme', '#title' => 'The cow\'s got milk.', ];
Since Twig is auto-escaping, the following string will be printed:
The cow's got milk.
So there is no visible change as the string was safe. However, imagine that we were overzealous with our sanitization and did this:
return [
'#theme' => 'my_custom_theme',
'#title' => Html::escape('The cow\'s got milk.'),
];
Then, we would get the following title:
The cow's got milk.
That is because the first time it is escaped, Drupal turns the apostrophe into an HTML entity ('). However, the browser renders it correctly, so we don't actually see it. The second escaping turns the individual characters from that HTML entity into their respective HTML entities. In this case, the & character gets turned into &. So, the entire string is no longer properly readable by the browser.
I now draw your attention for a moment to Chapter 4, Theming. In that chapter, we saw that the #markup and #plain_text properties already serve to sanitize the user input passed through them. The first uses the Xss::filterAdmin() method, whereas the latter uses the Html::escape() method. So, keep in mind that if you use those as part of your render arrays, you may not need further sanitization.