[eluser]Pascal Kriete[/eluser]
The global sanitation happens in the Input library constructor, which actually runs quite a while before the controller is instantiated.
The only spot where you
could modify this particular config setting is in the cache_override hook. Doing that would make the code very hard to maintain in the future though (cache_override is not where you would expect a setting like this to be).
Your best bet is probably to just keep it off globally. You can always call the security helper or input class when you need to clean input.
As for encrypting before inserting - no need. XSS is a client side attack, it cannot hurt your database. SQL injection can, but if you're using active record or query bindings, CI has you covered and will escape the input properly.
Bottom line, just be mindful of the possibilities and scrub, scrub, scrub the data you display! As pyro suggested, converting html entities is a definite must.