The current documentation for format_string() emphasizes that it is to be used for "sanitizing" text but that's not really a complete description. Even if you trust the source of your text, you still want to run it through e.g. check_plain() if there's any chance it might contain a character that will be erroneously interpreted as HTML, and format_string() is a good way to do that.
Thus, we really should encourage people to use this function regardless of whether untrusted user input is involved. (See discussion in.)
The attached patch is a first pass at trying to clarify the documentation in this regard and otherwise make some small improvements to it.