Hey,
This is clearly not the case. Because there are XSS vectors all over these
widgets. Developers who understand security do not monitor code strewn about in piles of wiki pages. They in no way have the same level of gatekeeping as extensions.
So instead of writing a widget publicly visible, the random third party admin who barley knows the basics of PHP goes write something that quite possibly is not published anywhere and can have gaping security holes not known to them and remaining so. You also mention stuff such as Html::element. Guess what - they might not know about it. I have looked at A LOT of extensions, and I can assure you that you have a rather rosy view on the subject.
Cheers
-- Jeroen De Dauw http://www.bn2vs.com Don't panic. Don't be evil. --