phan-taint-check-plugin does not take into account the actual values of variables or really do any flow analysis at all for that matter.
As a result, it cannot tell if the third argument to UserGroupMembership::getLink() is 'html' or 'wiki', even if its specified as a literal string in the method call. This results in a significant portion of the false positives from the tool.
So we could maybe try and special case phan-taint-check-plugin for this particular function (This would involve quite a bit of work to do properly. To do hackly would be less work). Or maybe we could split this function into UserGroupMembership::getLinkForWikitext() and UserGroupMembership::getLinkForHtml().
On one hand, tools should serve us not the other way around, we should not be forced to use coding constructs due to limitations of tools. On the other hand, the method is relatively new, and its a rather rare idiom in MediaWiki to control whether or not escaping happens via an argument (instead of different function name). I tend towards the splitting the function option, but I might be biased, and would like to hear futher opinions.