Attackers can create things like tasks which have console escape codes in their names. When displayed on the console via a command like `arc list` or `arc tasks`, these strings may be annoying (bell characters), misleading (rewrite parts of the console) or otherwise confusing/mischievous. It is vaguely possible that a malicious attacker could come up with some creative way to be legitimately abusive here rather than merely clever/annoying, although this is probably not substantially different from allowing unicode combining characters, RTL codes, zero-width spaces, etc., in practical effect. If nothing else, this behavior is not desirable or expected.
We should make `phutil_console_format()` more aggressive about escaping conversions, and probably expose it via an explicit `xsprintf()` interface to make its use easier and more consistent. The state of console printing is generally less rigorous and abstracted than other string handling, anyway.
See T4472 for a similar primarily-hypothetical escaping issue.