Yesod has more of a focus on dynamic content, and in those cases, we *do* already set charset=utf8[1]. Where this would affect Yesod is in yesod-static, in which case the same logic I've applied to Mighty would apply: users should not be able to affect the content of static files under normal circumstances, so the security concern is pretty remote.
When I checked Yesod today, it returned text/html without charset. But it appeared that it was my mistake. Hhat I saw was a 500 response (from Warp, not from Yesod). Sigh. OK. Yesod returns charset. Good.
To be clear, besides the security concerns, there is *definitely* a usability advantage in specifying charsets explicitly, in that the browser doesn't need to use defaults or guessing[2]. This just comes down to a numbers game: is it more likely that a browser will mis-guess the character encoding of UTF8 data, or that someone running Mighty will provide non-UTF8 data?
I'm assuming that static files contains charset information in their meta header. Creators of static files can do it by themselves without asking their server operator. --Kazu