These templates don’t seem to be semantically aware like Go’s html/template that takes care of mitigating XSS for you, among other things.

Correct. Intended for library authors to do that. A SQL library, for example, could accept a template type and mitigate against SQL injection for you.