Why the Sanitizer API is just `setHTML()`