From the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may be hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.
The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:
kendoTemplate = kendo.template;
templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?