> I dunno why nobody used things like external includes in XML

In practice they led to fairly severe security vulnerabilities. "XXE" used to be an OWASP Web Top 10 issue, and the reason it dropped off the list was because XML mostly went away, not because it stopped being a thing.

> But at least, I think XML doesn't have macro expansions, so that's a win.

XML, like HTML, has entities that can be expanded. Unlike HTML you can define them in XML and this led to the "Billion laughs attack": https://en.wikipedia.org/wiki/Billion_laughs_attack

> In practice they led to fairly severe security vulnerabilities.

Well, that seems to not matter for the people writing YAML.

> XML, like HTML, has entities that can be expanded.

Lol! Of course I'd be wrong about that.

Expecting XML not to have a well known security vulnerability is a losing proposition.