Can all identity providers be safely assumed to sanitize user information, or could one create an account or identity provider to deliver malicious usernames, emails, contact lists, etc?
The trustworthiness of existing providers is irrelevant. An attacker can write their own identity provider and use that to send you whatever they want. You should practically never trust third-party data.