The method will return (part of) its argument, hence preserving the taintedness, but can also append an escaped message for ellipsis. Thus, in order to get escaping right (without double-escaping), callers are supposed to pass an escaped string to truncateForVisual. But HTML might get truncated, thus leaving unwanted characters in the output.
Conversely, we cannot just make truncateForVisual use text() and escape the result after the call, as that could increase the length. This is probably acceptable if we assume that "visual" means HTML, and the given length is just a made up number to make the content fit some part of the page, and not a hard constraint. In that case, escaping the string after the truncateForVisual call will result in the string being displayed with exactly the number of characters counted by strlen, which is supposedly what the caller wants.