You should always escape output before displaying it anywhere on a web page. In Q2A this is done with the qa_html() function. Core Q2A does this everywhere, as shown in your "Q2A version" input in your question.
Using qa_sanitize_html() is certainly possible in some situations, but should only be used when you are expecting to show HTML. In Q2A we use it for this WYSIWYG editor I'm typing in now, because some tags like <b> are allowed.
In a standard one line input you don't want to allow any formatting, but you may want someone to post special characters. So the original content is stored exactly as was input, this is standard practice on the web and perfectly secure, if you escape it properly on output.