With KSES, WordPress offers a function to clean up the HTML code in the frontend, i.e. only permitted HTML elements and attributes are displayed there. However, this is only used if the theme used and plugins that output in the frontend also use KSES. Improper programming of themes and plugins can lead to problems at this point. With a hacked website, you can also never be sure how KSES is affected. Anything can happen through such a hack, which is difficult to grasp and limit.
My recommendation would therefore always be not to try a cleanup first but to use a clean backup directly. The project should then be secured.
See also:
https://projectdmc.org/documentation/article/faq-my-site-was-hacked/
https://developer.projectdmc.org/advanced-administration/security/hardening/