I agree that it would be nice if our existing Encode/Decode Data assertion included XML escaping, though surprisingly, XML escaping has not been a common requirement across customers in the many years that I've been working with the gateway. I suggest you submit that idea to the community, so it can be added as an enhancement request to our roadmap.
Regarding using a custom assertion instead, it's doubtful that you would see much, if any, performance improvement versus the handful of simple regular expression assertions. It's not likely that it would justify the additional complexity of creating and managing a custom assertion in your environment. Frankly, while custom assertions are a really neat way to extend your gateway, they're almost never needed and are rarely a good alternative to policy, policy fragments and encapsulated assertions. It's my opinion that it's not appropriate to use a custom assertion in this case, but you may want to consider creating an encapsulated assertion that wraps the sample policy shared above.