It is often said that the first rule in data security is to trust no one.
From the WordPress developer handbook:
It’s best to do the output validation as late as possible, ideally as it’s being outputted, as opposed to further up in your script. This way you can always be sure that your data is properly validated/escaped and you don’t need to remember if the variable has been previously validated.