This is news to me. We aren't specifically filtering 2Do. We filter out all unknown HTML/XML from notes for security reasons. 2Do should not be adding html/xml to notes. I am surprised that they didn't test this before implementing this behavior because it wouldn't work.
If a third-party wants to store custom data in a task's note, they are welcome to do so, but they shouldn't use XML to do so. A simple workaround for 2Do would be to url_encode the xml before adding it to the note, and then url_decode it when retrieving it.