I think using permissions to check who has permission to use certain tags is a good idea.
On many sites I work on, a site wide administrator manages the content pages and can be trusted to enter safe HTML. We would still want to security check HTML entered by regular users in forums, weblogs etc.
We already have an allowed protocol parameter that can be used to check URLs for unsafe options such as javascript.
I think checking images for valid URLs such as those internal to a site also makes very good sense.
