As you must know, to prevent xss attacks it is important that output to the browser gets escaped. ACF has functions like the_field() that echo directly disabling any posibility for escaping.
We might however assume that if people call functions like the_field, they probably output in html content. We can even write a filter that is restricting enough to be safe in html content and html attributes, thus eliminating a good part of the vulnerabilities.
At least we could make it harder for users to open the gates wide, by making them do special effort to do unsafe things.
Personally I served myself in the codebase of twig for an escaping class. If you want even better you can check ESAPI which they say is not production ready for php, but it already has unit tests and all so it might be worth having a look at...
For a few references, please see: