Escaping <>"' properly is still enough. Without them you can't create the <script> needed to use a backtick.

Remember & as well.

Inside an attribute value: use single or double quotes, then escape ampersand (&) and the other type of quote (" or ').

In a text value: all you need to escape are less than (<) and ampersand (&).

In any other location: … why are you doing this? (<>"'& is enough to cover everything, but you probably shouldn’t be doing this in the first place.)

You need to escape =. Otherwise if someone does something like:

document.write("<a class=" + str + " href='foo'>xss</a>");

The attacker can set str to "foo onclick=alert(1)".

You can't safely put arbitrary user input in an unquoted attribute value.

You should put quotes around the attribute value.

Then you won't need to escape =.

The issue is when a developer forgets to do so. No reason to not escape it.