diff --git a/core/lib/Drupal/Core/Render/theme.api.php b/core/lib/Drupal/Core/Render/theme.api.php
index 754641cce75607868bbd686ed6bf1da7ec7d41f5..2bb2eb9aa8fd9615335c14d037d4c01461321a2c 100644
--- a/core/lib/Drupal/Core/Render/theme.api.php
+++ b/core/lib/Drupal/Core/Render/theme.api.php
@@ -765,6 +765,12 @@ function hook_extension() {
 /**
  * Render a template using the theme engine.
  *
+ * It is the theme engine's responsibility to escape variables. The only
+ * exception is if a variable implements
+ * \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if
+ * other variables are not escaped. The helper function
+ * theme_render_and_autoescape() may be used for this.
+ *
  * @param string $template_file
  *   The path (relative to the Drupal root directory) to the template to be
  *   rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'.