The current design seems to have been adopted in
and implemented by changing packages/HTML/QuickForm.php.
How is this working? Most forms call HTML_QuickForm::exportValues(). exportValues() includes a hard-coded list of HTML-enabled fields ($skipFields) which are not subject to any escaping. All other fields are passed to HTML_QuickForm::filterValue() which does a simple str_replace for "<" and ">" characters. The SVN history for that line shows a series of consecutive changes with more or less encoding, so the current escaping seems to be the outcome of some work.
The solution is somewhat buggy – e.g. if a user types "<" into some field, saves, and then go back to edit the field, it will redisplay "<". There are similar bugs if you export data in any non-HTML medium (e.g. CSV, API, SQL).
To resolve these issues, we should switch from the escape-on-input pattern to escape-on-output.