If you provide no allowed tags, just any html will be output, even script-Tag for example. Isn't this a bit of a risky default setting? Wouldn't it be better to use the default allowed_tags (https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Field%21F...) as default setting? That would be just using the "#markup" key without "#allowed_tags" key I suppose.
And maybe introduce an extra formater option to output any HTML (with a warning) using the "#children" key only in this case.
Use HTML field formatter with no allowed tags set and insert for example
<script>alert('Hello')</script>
in your field. The js alert will occur.
use "#markup" key instead of "#children" key, maybe extra option for "#children" key.
Active
2.0
Code
The purpose of the module is precisely to output HTML. Everything else is provided by Drupal in the core. In this respect, I see no need to solve this via config. But you can indeed mention this in the module description or in the README.