If done properly these methods would protect a site from XSS attacks like our example, but having just a single line of defence is never a great idea, we need defense-in-depth. There are also many other ways that this hostile script could find its way into your site, input sanitisation and output encoding simply aren't enough.
The last and ultimate line of defence against XSS is Content Security Policy. With CSP we change the approach slightly by whitelisting all allowed content on our site. If content is whitelisted then it is allowed to run, if it's not then the browser will block it.
With this approach if hostile content is somehow injected into your site and gets by other countermeasures, the browser will be your last line of defense and neutralise the attack. The final piece of the puzzle is of course reporting.
With CSP reports sent back by the browser you can know that an attack was neutralised and then address the root cause using the information in the report itself.