Some guesswork for what it's worth.
innerHTML is literally the browser interpretting hte html.
so < becomes the less than symbol becuase that's what would happen if you put < in the html document.
The largest security risk of strings with & is an eval statement, any JSON could make the application insecure. I'm no security expert but if strings remain strings than you should be ok.
This is another way innerHTML is secure the unescaped string is on it's way to becoming html, so theres no risk of it running the javascript.
