@Wolfshade, you can never overthink security risks. I share your concerns.
Infact I, too, spent some time last year, looking into this very issue for our own sites. I found, a bit to my dismay, that the attacker could strike from many fronts. It means you have to defend on many fronts.
I drew up a check-list. It contained, among others, url-encode, canonicalize, ScriptProtect, code to detect simultaneous logins, HTTPOnly cookies and Content Security Policy. When I was drawing up the list, I found these two sites useful
My team has been working on tightening up XSS vulnerabilities on our old code.
One of the things you said really bothered me: " like, for example, input into a database, or used as a conditional for database processing"
I really, really hope you are not just taking URL vars and using them in your queries. THAT is an XSS problem.
So, just a few tips we've put together during our project
1. Don't use URL variables unless you have to (framework?)
2. move URL vars to client (presumes client vars are db stored on server side - Cookies can be hacked).
3. Use <cfsqlqueryparam ... > in all queries
4. You can whitelist url vars, but you also have to validate accepted values. (e.g., "id" must be integer, "name" is alpha, with a max length ...)
5. No hidden form values (these can be spoofed)
6. Use CreateUUID() for unique identifiers and validate always
7. NEVER EVER display user input back to the screen.
just a few off the top of my head.