Do we still need to sanitize usernames before validation?

Before validating a new User record, we sanitize a few fields by calling Sanitize.clean, which goes through Nokogiri.

This adds a bit of unnecessary overhead to our test suite because the username is always in the userN format.

I'm curious if we still need to do this, or if we can now rely on the DynamicPathValidator, since it validates that the username matches a specific regex, which I think blocks things we'd want to sanitize like &, < and >.

cc @DouweM