While I agree with the overall point, these are different environments.
React normally operates in a DOM. It's templates are translated into javascript, and that javascript manipulates the DOM. PHP templates are just outputting strings.
ReactDOMServer also outputs strings; it just works with context-aware objects during template processing.
The point here is that PHP templates work with strings as a design choice: there's nothing about PHP as a language that's preventing you from taking a similarly context-aware template-processing approach.
The question is whether it's easy to write vulnerable code.
For PHP it's easy and implicit:
For React it's hard and explicit: