1. Open form
   
2. Open browser console
3. CKEDITOR.instances[textareaId].destroy(true);
4. Paste XSS
   
5. Submit
   

I don't see any issue related to this bundle here. Regardless of used WYSIWYG editor you MUST do validation/sanitization on your own, using good tools like: https://github.com/tgalopin/html-sanitizer-bundle

Without an editor, the default is to escape HTML characters and there are no problems. It turns out this bandl adds only a few javascript lines and no backend check? You can, by default, add the same html-sanitizer-bundle to yourself and add backend processing to the html so that developers can safely install the bundle from the composer without unnecessary actions.

Without an editor, the default is to escape HTML characters

No, it isn't. Symfony framework itself does not escape HTMl characters while saving. Escaping/sanitizing should be done using sanitizer while saving or reading or on template side, using twig filter. IMHO this bundle is not responsive for handling data the way you want.

You may want provide your application repository to see how is done "submit" action shown on screenshot.

When displaying, twig shields HTML by default.

{% set var = '<p>test</p>' %}
{{ var }}

output:
<p>test</p>

Unfortunately, I can not provide access, because the private repository. To generate the form used https://github.com/sonata-project/SonataAdminBundle

Using FOSCKEditorBundle is as simple as this:

1. Install the bundle suggested by @TomaszGasior
2. Edit the desired forms adding the following attribute:

->add('content', CKEditorType::class, [
    'config_name' => 'advanced',
    'required' => false,
    'sanitize_html' => true, // this is the important line
])

3. Done!