How to securely run D7 themes?

[effulgentsia]

https://github.com/mglaman/retrofit-drupal/pull/12 is cool!

I'm assuming the motivation for it is to be able to run a site's custom Drupal 7 theme in Drupal 10. What are your thoughts on how to handle print statements within tpl.php files? In Twig, {{ foo }} is smart about knowing whether foo needs to be escaped, and so in Drupal 10 we don't pre-escape variables passed to the template.

One possible approach would be to instruct the site owner to replace all occurrences of print with retrofit_drupal_print() or similar, so that that function could then do something similar to what Twig's {{ foo }} does.

Any other approaches worth considering?