I see a lot of these in premium themes/plugins.
#1 – Why would you escape this? It’s your own data. For consistency?
function prefix_a() {
$class_attr = 'a b c';
// Some more code.
return '<div class="' . esc_attr( $class_attr ) . '">Content</div>';
}
// Called somewhere.
prefix_a();
#2 – Again, why? The data doesn’t come from the DB.
function prefix_b( $class ) {
// Some code.
return '<div class="' . esc_attr( $class ) . '">Content</div>';
}
// Called by a developer from the team.
prefix_b( 'developer adds a class' );
Yes, a child theme developer might call the function above, but he/she is already in control.
#3 – Why? If someone can add filters, it can do a lot more.
function prefix_c() {
$class_attr = apply_filters( 'prefix_c', 'foo bar' );
// Some code.
return '<div class="' . esc_attr( $class_attr ) . '">Content</div>';
}
// Called somewhere.
prefix_c();
I can only think about consistency and to be safe if someone uses untrusted data (excluding the #1 case).