I would normally consider something like wfMessage( 'foo' )->params( $_GET['foo'] )->parse() to be safe. However in raw html mode it would not be. Perhaps as a hardening measure we should disable raw html on the message parser.
I took a look through core MW and did not find anything obvious of this form that was exploitable.