I did read every article on the first page of google search. At best, there's something vague like it removes script tags and other harmful content. Is that basically all it does? What is this "other harmful content"?
What's the end goal here, what's my concern?
What is this normally even used for? Is it reasonable to use it if we let a user enter a long string that might contain html? Or is it only for when we are explicitly letting the user generate html?
For example's sake, Alice might have an SPA in where she lets her users type in code snippets that are also executed in the same page, which are also shown to other users who visit the page as well.
Bob decided to insert a malicious snippet that let him get information on those who view those pages, via putting in an HTTP request to his own end with the viewer's credentials, i.e account username and session ID in the frontend, or an external script that does the same.
Alice viewed the page, after all she's curious on what her users have been doing! Little did she know that Bob now has access to her session ID with elevated privileges.
Bob then continues on to access the app with the said session ID, elevates his own account to Administrator privileges, kicks out Alice's account and helps himself to the information inside... possibly credit card account details. I'm just weaving on the spot but you get the idea.
In a nutshell you shouldn't trust all user input when you're letting them render it. That is what ngSanitize for, to keep you from unwanted code execution.