Disclaimer: This is an old issue I first noticed years ago. At the time, I did all the reading I could but didn't have the understanding or time to go further with it. Last year I finally tried to get assistance from our hosting provider, but they didn't seem to understand it as a real problem. So now I'm bringing it up where people seem to understand these things better in the hopes that there might still be a solution for it.
The Security Overview Report on our 3.4.3 Moodle site has a warning for XSS Trusted Users that it's found 1003 users that have to be trusted. We have 1969 users, so that's about half of them. I remember very clearly that in former days, the number displayed here was much smaller--only two digits, and probably less than 40. I've read as much documentation as I can, and I've confirmed that only 4 roles on our site have the "trustcontent" permission allowed: Manager, Course Design Specialist (a role created off of Manager), Teacher, and Teaching Assistant (all other roles have it not set).
This post from back in 2015 https://moodle.org/mod/forum/discuss.php?d=279780 suggests to me that this error might very well have happened during an upgrade... which would fit my perception of how/when I first noticed the change... but if that's true then I'm hooped because there's no way we can roll back through all those versions and redo.
I'd like to try unticking the box for Enable Trusted content and then reticking it just to see if that makes any difference... but I'm wondering if doing that will trigger the site to clean all of our existing, previously-entered content. Does anybody know? Or have any advice for this situation?