No; you must not.
You must only escape data if and when you concatenate it into a structured format.
If you return JSON like { "text": "Content by X & Y" }
, anyone who reads that JSON will see the literal text &
.
It will only work correctly for extremely broken clients who concatenate it directly into their HTML without escaping.
In short: