@Lilly is correct. There isn’t enough distrust on the back-end here.
Since this came up, I decided to check if this also affects the profile page, and it doesn’t. We correctly sanitize values when users update their profile. That made it relatively straight-forward to just copy that sanitization logic to the sign-up endpoint as well. A PR is here:
I don’t think it technically is. Yes, users can put arbitrary values in, but there’s still sanitization applied before this is rendered anywhere (so no XSS vector). And the length limit was already correctly applied in the sign-up endpoint as well (so no DoS vector).