TextEdit dates back to NeXTStep, so it was originally written in the late 1980s probably. Guessing it didn't render HTML originally, but it always had RTF capability. Not that it's an excuse in 2021, but very few applications from that era woudl be considered "safe" today.
Edit.app is the original NeXTSTEP text editor from the 1989. It supported plain text and rich text files. Famously, the first web browser was based on the rich text capabilities built into NeXSTEP.
TextEdit.app is the OpenStep rewrite of Edit.app and dates to the mid 1990s. It was likely one of the first OpenStep apps. It supported the same rich text files as the original Edit.app.
Apple bought NeXT, OpenStep became Cocoa, TextEdit was ported to Java, and then back to garbage collected Objective-C, then ARC Objective-C, (then Swift, probably).
Along the way it picked up features for reading/writing/editing HTML and Microsoft Word documents.
Apple used to publish the source code for TextEdit as part of their Xcode sample code, but they stopped a few years ago.
Java was supposed to be the primary programming language for OS X. That's why they renamed OpenStep to Cocoa (Java and Cocoa go great together).
But AppKit was still pure Objective-C, and bridging between AppKit's Obj-C APIs and the Java language presented problems. 3rd-party developers (eventually) preferred the write directly in Objective-C and Apple dropped the Java bridge some years later.
NeXT used Display PostScript for the display manager. If you opened an email that had PostScript commands, the mail agent would happily, automatically, execute them.
A favorite payload sent around the computer lab would smear all pixels downward to "melt" whatever was rendered on your display.
Note that there weren't that many interesting things to exfiltrate back then, so this wasn't a terrible default: there wasn't (any!) online commerce, online banking was rare, and even passwords were never echoed to the terminal.
You don't need a password to be echoed to exfiltrate it. You just need the key codes. Not sure about NeXTStep, but regular old X let you sniff keys really easily.
Some systems (specifically, earlier versions of SGI IRIX) shipped with X authorization disabled by default. This is the equivalent of "xhost +". You could sniff a box as soon as it was plugged into the network, including capturing login session credentials, all terminal commands, and anything else. When they su'd to root, yes, you'd capture the root password.
In those days (mid 90's) almost nobody was running firewalls. At least, nobody in these parts. Putting your "office on the Internet" meant raw, unfiltered IP.
