I believe this is safe but I’m no security expert. Every thing I could find on XSS issues was focused on stealing passwords. WordPress feeds are all public and require no login so I think it’s all good. StackOverflow seems to agree.
With that hearty and confidence-inspiring endorsement, I give you this amazingly complicated plugin to allow access to all your WordPress feeds from other stuff (like Kin’s github rss reader)1 All simple stuff really, the key piece was getting the right trigger pre_get_posts. Otherwise it was called too late. is_feed is the other little handy piece which Tim Owens mentioned . . . and I subsequently used.