This attribute is since validated against `DynamicPathValidator`, which
has strict requirements for the characters allowed, and should no longer
need to be sanitized in a callback before saving.

This has additional benefits in our test suite, where every creation of
a `User` record was calling `Sanitize.clean` on a username value that
was always clean, since we're the ones generating it.