Consider the following circumstances:
Accepting that some level of insecurity is inherent in JS, how insecure is what I've just done?
The OWASP XSS Cheat Sheet says to escape all 'untrusted data'. Is the result of my AJAX request untrusted given the above circumstances? Is the result of any AJAX request regarded as 'untrusted'?
Is inserting HTML this way bad practice? If so what should I be doing instead?
Edit to clarify a couple of things:
As long as the response is truly static and does not involve user input of any kind, this is fine. AJAX itself (as you hinted) does not make it vulnerable to XSS (as long as transport is secure, which practically means https).
One caveat (not necessarily in your case, but in general) could be what you consider user input and what not. Your application always receives input from the user, or it may use parameters received previously, or even by another application. Even if you don't pass parameters, there are request headers, cookies (if any), and user input can also be read from a database. Even if it looks like static data in the database, at some point it may have originated from some kind of a user, probably a legitimate (but rogue) one, or an external attacker, or it could have come from another application that writes to the same database (not a good practice anyway).
So in short, if the data you send back is really just static data (as in hard coded), that's not vulnerable, but there are many ways it can become dynamic, and from there it's your (ideally risk based) decision, what you protect against and what you trust.
The best practice is to encode everything by default to avoid mistakes. If you are sure that you trust the source of data that you want to insert into the DOM as HTML, that's fine. Threat modeling may help to discover what you should and should not trust, but in some cases it may also be obvious.