As I use my own pod with apps I know well, I would see a solution that disables html files as a bug rather than a fix and would probably disable that feature fairly quickly 
I understand that organisations providing pods or apps would have a very different view on that.
I think best practice would be to have server side sanitation on write and client side sanitation on read. Similar ideas to what was described for the markdown renderer XSS in markdown renderer 路 Issue #369 路 SolidOS/solid-panes 路 GitHub
Incidentally, best practice for sanitising markdown is to sanitise the html after it is produced.
Dynamic panes in your built-in browser, direct use of web components, local add-ons as per the other thread, hosting apps yourself, not having to run a separate server
Publicly available html pages by themselves do not have access to any of your non public data unless you login. Opening a private html page while not logged in is prevented by requiring a dpop token (cookies aren鈥檛 sufficient)
The main attack vector for HTML pages is if the html page is rendered by the browser while you are logged in, which currently only really happens within SolidOS.
I鈥檓 not sure how you would exploit most of what you鈥檙e referring to without being logged in, which outside of solidos would require tricking somebody into it?