What do unfiltered_html and unfiltered_upload actually filter?

Among WordPress’ capabilities are unfiltered_html and unfiltered_upload, however I have yet to find any documentation about what specifically they allow or prevent in their filtering.

The only mention I’ve found on WordPress’ site about unfiltered_html is:

Allows user to post HTML markup or even JavaScript code in pages,
posts, comments and widgets.

I’ve seen that JavaScript is filtered out for non-admins, but what HTML is being filtered?

And for unfiltered_upload:

This capability is not available to any role by default (including
Super Admins). The capability needs to be enabled by defining the
following constant:

define( 'ALLOW_UNFILTERED_UPLOADS', true );

With this constant defined, all roles on a single site install can be
given the unfiltered_upload capability, but only Super Admins can be
given the capability on a Multisite install.

And again, the description doesn’t spell out what’s permitted and what’s filtered out.

Can someone tell me exactly what elements, code, or file types the unfiltered_html and unfiltered_upload capabilities allow or prevent?

It is hard to come up with precise answer since capabilities are often used more broadly than they imply. For example check for manage_options is usually synonym to check for admin user and can come up in contexts that don’t actually have much to do with options.

Usually it will be a difference between subject content passing or not passing through wp_kses(). Specific kses settings and what is considered allowed would depend on the context and might wary.

For unfiltered_upload as far as I remember it’s more straightforward. Without it only white listed file types are allowed. The list is based on wp_get_mime_types().