I have a .NET backend with a AngularJS frontend.
As long as you are setting the content-type to
application/json then this content type will not be sniffed by browsers, because it is not "known". Therefore this should be secure against XSS.
There is no need to further encode it.
textContent as required so that the browser does not interpret it as script.
Note that the risk here isn't
<script>alert('xss')</script>, it would have to be something like
<img src=x onload="alert('xss');" /> for it to execute when dynamically added to a document.